]
Masafumi Miura reassigned WFLY-10912:
-------------------------------------
Assignee: Paul Ferraro (was: Stuart Douglas)
CodecSessionConfig#findSessionId() causes an incorrect JSESSIONID
Set-Cookie header
-----------------------------------------------------------------------------------
Key: WFLY-10912
URL:
https://issues.jboss.org/browse/WFLY-10912
Project: WildFly
Issue Type: Bug
Components: Web (Undertow)
Affects Versions: 13.0.0.Final, 14.0.0.Beta2
Reporter: Masafumi Miura
Assignee: Paul Ferraro
This issue is very similar to WFLY-10262/JBEAP-14641 but the condition causing the
problem is a bit different.
The issue happens when the client sends JSESSIONID Cookie in the request to the web
application does NOT use HttpSession. JSESSIONID Set-Cookie response header should not be
sent in this scenario, but WildFly/EAP 7 returns the response with JSESSIONID reusing the
requested session id which does not exist in the session manager.
The fix for WFLY-10262 / JBEAP-14641 added AttachmentKey SESSION_ID_SET to avoid invoking
CodecSessionConfig#setSessionId() more than once. However, the fix does not help for this
issue because CodecSessionConfig#setSessionId() is not invoked (= SESSION_ID_SET is null)
before the problematic CodecSessionConfig#findSessionId() processing in this scenario.