Creating an HttpSession with Ajax Request and then redirecting the response causes an HTTPSession to leak --------------------------------------------------------------------------------------------------------- Key: RF-8274 URL: https://jira.jboss.org/jira/browse/RF-8274 Project: RichFaces Issue Type: Bug Security Level: Public (Everyone can see) Components: component-a4j-core Affects Versions: 3.3.2.GA Environment: j2sdk1.5.0_06/1.6.0_14, Windows/Linux, JSF1.2, JBoss 5.1.0GA, Weblogic 9.2 Reporter: yagish sharma While running the load test on our environment, we found a HTTPSession object getting created in response to an AjaxRequest, but in the "redirected" response, the Set-Cookie - JSessionID was missing causing the server to leak an HttpSession. Further digging down the issue, we found the BaseXMLFilter.resetResponse method "resets" the original (server) response object, and then copies the cookies over from a response wrapper, thus missing to reset the JSessionID cookie into the response object. This issue is closely related to how the JSessionID is set in the response object by the AppServer. JBoss (Tomcat), on creation of an HTTPSession object, creates a JSessionID cookie and appends it directly to the response object's cookies arrayList (without calling the ServletResponse.addCookie() method). Similar behavior was found in load testing on Weblogic 9.2 app server as well. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira