CodecSessionConfig#findSessionId() causes an incorrect JSESSIONID Set-Cookie header ----------------------------------------------------------------------------------- Key: WFLY-10912 URL: https://issues.jboss.org/browse/WFLY-10912 Project: WildFly Issue Type: Bug Components: Web (Undertow) Affects Versions: 13.0.0.Final, 14.0.0.Beta2 Reporter: Masafumi Miura Assignee: Paul Ferraro This issue is very similar to WFLY-10262/JBEAP-14641 but the condition causing the problem is a bit different. The issue happens when the client sends JSESSIONID Cookie in the request to the web application does NOT use HttpSession. JSESSIONID Set-Cookie response header should not be sent in this scenario, but WildFly/EAP 7 returns the response with JSESSIONID reusing the requested session id which does not exist in the session manager. The fix for WFLY-10262 / JBEAP-14641 added AttachmentKey SESSION_ID_SET to avoid invoking CodecSessionConfig#setSessionId() more than once. However, the fix does not help for this issue because CodecSessionConfig#setSessionId() is not invoked (= SESSION_ID_SET is null) before the problematic CodecSessionConfig#findSessionId() processing in this scenario.