dbeaver/cloudbeaver#4249 added session rotation

server/bundles/io.cloudbeaver.server.ce/src/io/cloudbeaver/service/session/CBSessionManager.java

@@ -1,6 +1,6 @@
 /*
  * DBeaver - Universal Database Manager
- * Copyright (C) 2010-2025 DBeaver Corp and others
+ * Copyright (C) 2010-2026 DBeaver Corp and others
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -199,6 +199,26 @@ protected String getSessionId(@NotNull HttpServletRequest request) {
         return httpSession.getId();
     }
 
+    /**
+     * Rotates the session ID after successful authentication to prevent session fixation attacks.
+     */
+    public void rotateSessionId(@NotNull HttpServletRequest request) {
+        HttpSession oldSession = request.getSession(false);
+        if (oldSession == null) {
+            log.debug("No HTTP session present, skipping session ID rotation");
+            return;
+        }
+        String oldSessionId = oldSession.getId();
+        String newSessionId = request.changeSessionId();
+        synchronized (sessionMap) {
+            BaseWebSession webSession = sessionMap.remove(oldSessionId);
+            if (webSession != null) {
+                sessionMap.put(newSessionId, webSession);
+            }
+        }
+        log.debug("Session ID rotated after authentication ('" + oldSessionId + "' -> '" + newSessionId + "')");
+    }
+
     /**
      * Returns not expired session from cache, or restore it.
      *

server/bundles/io.cloudbeaver.service.auth/src/io/cloudbeaver/service/auth/DBWServiceAuth.java

@@ -1,6 +1,6 @@
 /*
  * DBeaver - Universal Database Manager
- * Copyright (C) 2010-2025 DBeaver Corp and others
+ * Copyright (C) 2010-2026 DBeaver Corp and others
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -35,7 +35,8 @@
 public interface DBWServiceAuth extends DBWService {
 
     @WebAction(authRequired = false)
     WebAuthStatus authLogin(
+        @NotNull HttpServletRequest httpRequest,
         @NotNull WebSession webSession,
         @NotNull String providerId,
         @Nullable String providerConfigurationId,
@@ -55,7 +56,8 @@
     ) throws DBWebException;
 
     @WebAction(authRequired = false)
     WebAsyncAuthTaskResult federatedAuthTaskResult(
+        @NotNull HttpServletRequest httpRequest,
         @NotNull WebSession webSession,
         @NotNull String taskId
     ) throws DBWebException;

server/bundles/io.cloudbeaver.service.auth/src/io/cloudbeaver/service/auth/WebAsyncAuthJob.java

@@ -1,6 +1,6 @@
 /*
  * DBeaver - Universal Database Manager
- * Copyright (C) 2010-2025 DBeaver Corp and others
+ * Copyright (C) 2010-2026 DBeaver Corp and others
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -33,6 +33,7 @@
     //to get auth result
     @Nullable
     private List<WebAuthInfo> authResult;
+    private boolean sessionRotated;
 
     public WebAsyncAuthJob(@NotNull String name, @NotNull String authId, boolean linkWithUser) {
         super(name);
@@ -46,8 +47,7 @@
     protected IStatus run(@NotNull DBRProgressMonitor monitor) {
         return null;
     }
-
     @NotNull
     public String getAuthId() {
         return authId;
     }
@@ -65,4 +65,12 @@
         this.authResult = authResult;
     }
 
+    public boolean isSessionRotated() {
+        return sessionRotated;
+    }
+
+    public void setSessionRotated(boolean sessionRotated) {
+        this.sessionRotated = sessionRotated;
+    }
+
 }

server/bundles/io.cloudbeaver.service.auth/src/io/cloudbeaver/service/auth/WebServiceBindingAuth.java

@@ -1,6 +1,6 @@
 /*
  * DBeaver - Universal Database Manager
- * Copyright (C) 2010-2025 DBeaver Corp and others
+ * Copyright (C) 2010-2026 DBeaver Corp and others
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -34,9 +34,10 @@
     }
 
     @Override
     public void bindWiring(DBWBindingContext model) {
         model.getQueryType()
             .dataFetcher("authLogin", env -> getService(env).authLogin(
+                GraphQLEndpoint.getServletRequestOrThrow(env),
                 getWebSession(env, false),
                 getArgumentVal(env, "provider"),
                 getArgument(env, "configuration"),
@@ -45,6 +46,7 @@
                 CommonUtils.toBoolean(getArgument(env, "forceSessionsLogout"))
             ))
             .dataFetcher("federatedAuthTaskResult", env -> getService(env).federatedAuthTaskResult(
+                GraphQLEndpoint.getServletRequestOrThrow(env),
                 getWebSession(env, false),
                 getArgumentVal(env, "taskId")
             ))

server/bundles/io.cloudbeaver.service.auth/src/io/cloudbeaver/service/auth/impl/WebServiceAuthImpl.java

@@ -1,6 +1,6 @@
 /*
  * DBeaver - Universal Database Manager
- * Copyright (C) 2010-2025 DBeaver Corp and others
+ * Copyright (C) 2010-2026 DBeaver Corp and others
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -66,7 +66,8 @@
     private static final long DEFAULT_TIMEOUT_MILLISECONDS = 5 * 60 * 1000;
 
     @Override
     public WebAuthStatus authLogin(
+        @NotNull HttpServletRequest httpRequest,
         @NotNull WebSession webSession,
         @NotNull String providerId,
         @Nullable String providerConfigurationId,
@@ -85,7 +86,9 @@
             } else {
                 //run it sync
                 var authProcessor = new WebSessionAuthProcessor(webSession, smAuthInfo, linkWithActiveUser);
-                return new WebAuthStatus(smAuthInfo.getAuthStatus(), authProcessor.authenticateSession());
+                List<WebAuthInfo> authInfos = authProcessor.authenticateSession();
+                CBApplication.getInstance().getSessionManager().rotateSessionId(httpRequest);
+                return new WebAuthStatus(smAuthInfo.getAuthStatus(), authInfos);
             }
         } catch (SMTooManySessionsException e) {
             throw new DBWebException("User authentication failed", e.getErrorType(), e);
@@ -139,7 +142,11 @@
     }
 
     @Override
-    public WebAsyncAuthTaskResult federatedAuthTaskResult(@NotNull WebSession webSession, @NotNull String taskId) throws DBWebException {
+    public WebAsyncAuthTaskResult federatedAuthTaskResult(
+        @NotNull HttpServletRequest httpRequest,
+        @NotNull WebSession webSession,
+        @NotNull String taskId
+    ) throws DBWebException {
         WebAsyncTaskInfo taskInfo = webSession.asyncTaskStatus(taskId, true);
         if (taskInfo == null) {
             throw new DBWebException("Task '" + taskId + "' not found");
@@ -154,6 +161,9 @@
         List<WebAuthInfo> userTokens = job.getAuthResult();
         if (CommonUtils.isEmpty(userTokens)) {
             userTokens = List.of();
+        } else if (!job.isSessionRotated()) {
+            CBApplication.getInstance().getSessionManager().rotateSessionId(httpRequest);
+            job.setSessionRotated(true);
         }
         return new WebAsyncAuthTaskResult(userTokens);
     }
@@ -261,6 +271,7 @@
                     }
                 }
             }
+            CBApplication.getInstance().getSessionManager().rotateSessionId(httpRequest);
             return new WebLogoutInfo(logoutUrls);
         } catch (DBException e) {
             throw new DBWebException("User logout failed", e);