Merge branch 'rcaa-master' into master.

Author: fzs

src/main/java/com/gitblit/ConfigUserService.java

@@ -898,7 +898,7 @@ protected synchronized void read() {
 					user.countryCode = config.getString(USER, username, COUNTRYCODE);
 					user.cookie = config.getString(USER, username, COOKIE);
 					if (StringUtils.isEmpty(user.cookie) && !StringUtils.isEmpty(user.password)) {
-						user.cookie = StringUtils.getSHA1(user.username + user.password);
+						user.cookie = user.createCookie();
 					}
 
 					// preferences

src/main/java/com/gitblit/auth/AuthenticationProvider.java

@@ -78,10 +78,10 @@ public String getServiceName() {
 
 	public abstract AuthenticationType getAuthenticationType();
 
-	protected void setCookie(UserModel user, char [] password) {
+	protected void setCookie(UserModel user) {
 		// create a user cookie
-		if (StringUtils.isEmpty(user.cookie) && !ArrayUtils.isEmpty(password)) {
-			user.cookie = StringUtils.getSHA1(user.username + new String(password));
+		if (StringUtils.isEmpty(user.cookie)) {
+			user.cookie = user.createCookie();
 		}
 	}
 

src/main/java/com/gitblit/auth/HtpasswdAuthProvider.java

@@ -196,7 +196,7 @@ else if (supportPlaintextPwd() && storedPwd.equals(passwd)){
                 }
 
                 // create a user cookie
-                setCookie(user, password);
+                setCookie(user);
 
                 // Set user attributes, hide password from backing user service.
                 user.password = Constants.EXTERNAL_ACCOUNT;

src/main/java/com/gitblit/auth/LdapAuthProvider.java

@@ -307,7 +307,7 @@ public UserModel authenticate(String username, char[] password) {
 							}
 
 							// create a user cookie
-							setCookie(user, password);
+							setCookie(user);
 
 							if (!supportsTeamMembershipChanges()) {
 								getTeamsFromLdap(ldapConnection, simpleUsername, loggingInUser, user);

src/main/java/com/gitblit/auth/PAMAuthProvider.java

@@ -122,7 +122,7 @@ public UserModel authenticate(String username, char[] password) {
         }
 
         // create a user cookie
-        setCookie(user, password);
+        setCookie(user);
 
         // update user attributes from UnixUser
         user.accountType = getAccountType();

src/main/java/com/gitblit/auth/RedmineAuthProvider.java

@@ -139,7 +139,7 @@ public UserModel authenticate(String username, char[] password) {
         }
 
         // create a user cookie
-        setCookie(user, password);
+        setCookie(user);
 
         // update user attributes from Redmine
         user.accountType = getAccountType();

src/main/java/com/gitblit/auth/SalesforceAuthProvider.java

@@ -66,7 +66,7 @@ public UserModel authenticate(String username, char[] password) {
 					user = new UserModel(simpleUsername);
 				}
 
-				setCookie(user, password);
+				setCookie(user);
 				setUserAttributes(user, info);
 
 				updateUser(user);

src/main/java/com/gitblit/auth/WindowsAuthProvider.java

@@ -153,7 +153,7 @@ public UserModel authenticate(String username, char[] password) {
         }
 
         // create a user cookie
-        setCookie(user, password);
+        setCookie(user);
 
         // update user attributes from Windows identity
         user.accountType = getAccountType();

src/main/java/com/gitblit/client/EditUserDialog.java

@@ -330,7 +330,7 @@ private boolean validateFields() {
 			}
 
 			// change the cookie
-			user.cookie = StringUtils.getSHA1(user.username + password);
+			user.cookie = user.createCookie();
 
 			String type = settings.get(Keys.realm.passwordStorage).getString("md5");
 			if (type.equalsIgnoreCase("md5")) {

src/main/java/com/gitblit/models/UserModel.java

@@ -17,6 +17,7 @@
 
 import java.io.Serializable;
 import java.security.Principal;
+import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashSet;
@@ -36,6 +37,7 @@
 import com.gitblit.Constants.RegistrantType;
 import com.gitblit.utils.ArrayUtils;
 import com.gitblit.utils.ModelUtils;
+import com.gitblit.utils.SecureRandom;
 import com.gitblit.utils.StringUtils;
 
 /**
@@ -52,6 +54,8 @@ public class UserModel implements Principal, Serializable, Comparable<UserModel>
 
 	public static final UserModel ANONYMOUS = new UserModel();
 
+	private static final SecureRandom RANDOM = new SecureRandom();
+
 	// field names are reflectively mapped in EditUser page
 	public String username;
 	public String password;
@@ -660,4 +664,8 @@ public boolean isMyPersonalRepository(String repository) {
 		String projectPath = StringUtils.getFirstPathElement(repository);
 		return !StringUtils.isEmpty(projectPath) && projectPath.equalsIgnoreCase(getPersonalPath());
 	}
+
+	public String createCookie() {
+		return StringUtils.getSHA1(RANDOM.randomBytes(32));
+	}
 }