[
https://issues.jboss.org/browse/WFLY-10912?page=com.atlassian.jira.plugin...
]
Paul Ferraro commented on WFLY-10912:
-------------------------------------
[~mmiura] I see your point, however, it is not the responsibility of the session config to
validate the incoming session ID. This happens when the session is actually requested by
the servlet. In this case, the incoming session ID will be invalidated and a new one
assigned.
CodecSessionConfig#findSessionId() causes an incorrect JSESSIONID
Set-Cookie header
-----------------------------------------------------------------------------------
Key: WFLY-10912
URL:
https://issues.jboss.org/browse/WFLY-10912
Project: WildFly
Issue Type: Bug
Components: Web (Undertow)
Affects Versions: 13.0.0.Final, 14.0.0.Beta2
Reporter: Masafumi Miura
Assignee: Paul Ferraro
Priority: Major
This issue is very similar to WFLY-10262/JBEAP-14641 but the condition causing the
problem is a bit different.
The issue happens when the client sends JSESSIONID Cookie in the request to the web
application does NOT use HttpSession. JSESSIONID Set-Cookie response header should not be
sent in this scenario, but WildFly/EAP 7 returns the response with JSESSIONID reusing the
requested session id which does not exist in the session manager.
The fix for WFLY-10262 / JBEAP-14641 added AttachmentKey SESSION_ID_SET to avoid invoking
CodecSessionConfig#setSessionId() more than once. However, the fix does not help for this
issue because CodecSessionConfig#setSessionId() is not invoked (= SESSION_ID_SET is null)
before the problematic CodecSessionConfig#findSessionId() processing in this scenario.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)