[
https://issues.jboss.org/browse/WFLY-10912?page=com.atlassian.jira.plugin...
]
Paul Ferraro commented on WFLY-10912:
-------------------------------------
[~mmiura] I'm not sure I agree with the premise of this jira.
The CodecSessionConfig is responsible for encoding/decoding the route into/from the
session ID. Thus, if you send a request containing a cookie that is missing a route, the
response will contain a Set-Cookie header with a modified JSESSIONID containing the
appended route.
CodecSessionConfig#findSessionId() causes an incorrect JSESSIONID
Set-Cookie header
-----------------------------------------------------------------------------------
Key: WFLY-10912
URL:
https://issues.jboss.org/browse/WFLY-10912
Project: WildFly
Issue Type: Bug
Components: Web (Undertow)
Affects Versions: 13.0.0.Final, 14.0.0.Beta2
Reporter: Masafumi Miura
Assignee: Paul Ferraro
This issue is very similar to WFLY-10262/JBEAP-14641 but the condition causing the
problem is a bit different.
The issue happens when the client sends JSESSIONID Cookie in the request to the web
application does NOT use HttpSession. JSESSIONID Set-Cookie response header should not be
sent in this scenario, but WildFly/EAP 7 returns the response with JSESSIONID reusing the
requested session id which does not exist in the session manager.
The fix for WFLY-10262 / JBEAP-14641 added AttachmentKey SESSION_ID_SET to avoid invoking
CodecSessionConfig#setSessionId() more than once. However, the fix does not help for this
issue because CodecSessionConfig#setSessionId() is not invoked (= SESSION_ID_SET is null)
before the problematic CodecSessionConfig#findSessionId() processing in this scenario.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)