[undertow-dev] sessionId changes between requests?
Stuart Douglas
sdouglas at redhat.com
Fri Jan 22 17:33:54 EST 2016
Yes, at least with the way we implement it. When a session is generated it has the node id appended to the end of the session (so the session ID will look something like ASDGAWG242AF.node1 ). Both sessions will end up with the same node ID in this case.
We don't maintain an internal map of session ID -> node id, but even if we did it would still work, because that map should be updated when the new cookie is generated.
Stuart
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stuart Douglas" <sdouglas at redhat.com>
> Cc: undertow-dev at lists.jboss.org
> Sent: Saturday, 23 January, 2016 12:50:30 AM
> Subject: Re: [undertow-dev] sessionId changes between requests?
>
> Is this safe for load balancers and sticky sessions?
>
> On 1/22/2016 12:14 AM, Stuart Douglas wrote:
> > Something to be aware of is that in Servlet 3.1 users can also trigger this
> > change by calling javax.servlet.http.HttpServletRequest.changeSessionId().
> >
> > Not sure if that will also cause issues for you or not.
> >
> > Stuart
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: "Stuart Douglas" <sdouglas at redhat.com>
> >> Cc: undertow-dev at lists.jboss.org
> >> Sent: Friday, 22 January, 2016 3:29:29 PM
> >> Subject: Re: [undertow-dev] sessionId changes between requests?
> >>
> >> Maybe a decoupling of cookie from session ID isn't very feasible...I
> >> guess I can just turn off the "changeSessionIdOnLogin" switch and change
> >> the ID within the authenticator instead.
> >>
> >> On 1/21/2016 10:28 PM, Stuart Douglas wrote:
> >>> This was done for security reasons (see
> >>> https://issues.jboss.org/browse/UNDERTOW-579).
> >>>
> >>> I don't know how practical it would be to de-couple the cookie value from
> >>> the session ID. Could you just use a
> >>> javax.servlet.http.HttpSessionIdListener to monitor session ID changes?
> >>>
> >>> Stuart
> >>>
> >>> ----- Original Message -----
> >>>> From: "Bill Burke" <bburke at redhat.com>
> >>>> To: undertow-dev at lists.jboss.org
> >>>> Sent: Friday, 22 January, 2016 11:44:53 AM
> >>>> Subject: Re: [undertow-dev] sessionId changes between requests?
> >>>>
> >>>> Ok, found it. setChangeSessionIdOnLogin()
> >>>>
> >>>> Can I ask why this is done? Security reasons? To change the cookie?
> >>>> If it is to change the cookie, would be really good in the future to
> >>>> decouple the session cookie value from the session id so that plugins,
> >>>> like Keycloak, that are remotely managing and monitoring sessions can
> >>>> still do so without creating a security hole.
> >>>>
> >>>> On 1/21/2016 6:10 PM, Bill Burke wrote:
> >>>>> Does a HttpSession ID change between requests? We are storing the
> >>>>> current HttpSession ID at our IDP after login, then transmitting back
> >>>>> to
> >>>>> the app in a background HTTP request, looking up the session and then
> >>>>> invalidating it. This used to work on Wildfly 8 and 9, in 10, looks
> >>>>> like
> >>>>> it is not the same http session.
> >>>>>
> >>>> --
> >>>> Bill Burke
> >>>> JBoss, a division of Red Hat
> >>>> http://bill.burkecentral.com
> >>>>
> >>>> _______________________________________________
> >>>> undertow-dev mailing list
> >>>> undertow-dev at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/undertow-dev
> >>>>
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >>
> >>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
More information about the undertow-dev
mailing list