[undertow-dev] Possible session lookup bug when no session cookie present
Toby Crawley
toby at tcrawley.org
Fri Aug 28 14:41:49 EDT 2015
With this commit[1], calls to Sessions.getOrCreateSession() from
within a handler where no session cookie was sent with the request
result in a new Session being created every time, with the last
Session created actually being the one stored when the exchange is
completed.
This means that the following in a handler results in "foo" not being
in the session on the next request:
Sessions.getOrCreateSession(exchange).setAttribute("foo", "bar");
Sessions.getOrCreateSession(exchange);
Before [1], the second getOrCreateSession() call would return the same
Session object as the first call, not overwriting the one already
attached to the request, and "foo" would be preserved.
I'm not sure if you consider this a bug or not, but wanted to point it
out just in case. We discovered this in an Immutant test when
upgrading from undertow 1.1.0, and we were able to work around it with
a small change to that test. I don't believe this will affect any
Immutant users, since we handle all Session access for them, and call
getOrCreateSession() only once during regular operation.
Let me know if you do consider this a bug, and I'll file a JIRA.
- Toby
[1]: https://github.com/undertow-io/undertow/commit/a97fec29f379fff6cb5a74ae9a39177a9c36d4ae
More information about the undertow-dev
mailing list