[undertow-dev] Possible session lookup bug when no session cookie present

Toby Crawley toby at tcrawley.org
Tue Sep 1 10:06:17 EDT 2015 

Thanks for the quick fix!

On Mon, Aug 31, 2015 at 8:45 PM, Stuart Douglas <sdouglas at redhat.com> wrote:
> I have released 1.2.11.Final with this fix.
>
> Stuart
>
> ----- Original Message -----
>> From: "Toby Crawley" <toby at tcrawley.org>
>> To: "Stuart Douglas" <sdouglas at redhat.com>
>> Cc: undertow-dev at lists.jboss.org
>> Sent: Tuesday, 1 September, 2015 1:33:29 AM
>> Subject: Re: [undertow-dev] Possible session lookup bug when no session cookie present
>>
>> Okay. I filed https://issues.jboss.org/browse/UNDERTOW-528
>>
>> On Fri, Aug 28, 2015 at 6:37 PM, Stuart Douglas <sdouglas at redhat.com> wrote:
>> > This is a bug.
>> >
>> > Stuart
>> >
>> > ----- Original Message -----
>> >> From: "Toby Crawley" <toby at tcrawley.org>
>> >> To: undertow-dev at lists.jboss.org
>> >> Sent: Saturday, 29 August, 2015 4:41:49 AM
>> >> Subject: [undertow-dev] Possible session lookup bug when no session cookie
>> >> present
>> >>
>> >> With this commit[1], calls to Sessions.getOrCreateSession() from
>> >> within a handler where no session cookie was sent with the request
>> >> result in a new Session being created every time, with the last
>> >> Session created actually being the one stored when the exchange is
>> >> completed.
>> >>
>> >> This means that the following in a handler results in "foo" not being
>> >> in the session on the next request:
>> >>
>> >> Sessions.getOrCreateSession(exchange).setAttribute("foo", "bar");
>> >> Sessions.getOrCreateSession(exchange);
>> >>
>> >> Before [1], the second getOrCreateSession() call would return the same
>> >> Session object as the first call, not overwriting the one already
>> >> attached to the request, and "foo" would be preserved.
>> >>
>> >> I'm not sure if you consider this a bug or not, but wanted to point it
>> >> out just in case. We discovered this in an Immutant test when
>> >> upgrading from undertow 1.1.0, and we were able to work around it with
>> >> a small change to that test. I don't believe this will affect any
>> >> Immutant users, since we handle all Session access for them, and call
>> >> getOrCreateSession() only once during regular operation.
>> >>
>> >> Let me know if you do consider this a bug, and I'll file a JIRA.
>> >>
>> >> - Toby
>> >>
>> >> [1]:
>> >> https://github.com/undertow-io/undertow/commit/a97fec29f379fff6cb5a74ae9a39177a9c36d4ae
>> >> _______________________________________________
>> >> undertow-dev mailing list
>> >> undertow-dev at lists.jboss.org
>> >> https://lists.jboss.org/mailman/listinfo/undertow-dev
>> >>
>>

More information about the undertow-dev mailing list