/**
* Checks to see whether we are logged in.
*
* @param kkAppEng The KonaKart client engine instance
* @param forwardAfterLogin tells us which page to forward to after login.
* @param request
* @param response
* @param checkXSRF
* @param xsrfToken
* @return Returns the CustomerId if logged in. Otherwise a negative number.
* @throws KKException
* @throws KKAppException
*/
protected int loggedIn(
HttpServletRequest request,
HttpServletResponse response,
KKAppEng kkAppEng,
String forwardAfterLogin,
boolean checkXSRF,
String xsrfToken)
throws KKException, KKAppException {
// If the session is null, set the forward and return a negative number.
if ((kkAppEng.getSessionId() == null)) {
if (forwardAfterLogin != null) {
kkAppEng.setForwardAfterLogin(forwardAfterLogin);
}
return -1;
}
// If an exception is thrown, set the forward and return it
int custId;
try {
custId = kkAppEng.getEng().checkSession(kkAppEng.getSessionId());
} catch (KKException e) {
log.debug(e.getMessage());
if (forwardAfterLogin != null) {
kkAppEng.setForwardAfterLogin(forwardAfterLogin);
}
kkAppEng.getCustomerMgr().logout();
// Ensure that the guest customer is the one in the cookie
manageCookieLogout(request, response, kkAppEng);
return -1;
}
// Check the XSRF token for a post. Don't check anything we are redirected to after a login
// since the token wasn't available at the time of the post
if (kkAppEng.getXsrfToken() != null
&& checkXSRF
&& !request.getServletPath().contains("LoginSubmit")) {
String method = request.getMethod();
if (method != null && method.equalsIgnoreCase("POST")) {
String token = (xsrfToken != null) ? xsrfToken : request.getParameter("xsrf_token");
if (token == null || !token.equals(kkAppEng.getXsrfToken())) {
log.warn("Possible XSRF attack for customer with id = " + custId);
return -1;
}
}
}
// At this point we return a valid customer Id
return custId;
}
