Re: [undertow-dev] Possible session lookup bug when no session cookie present

From: "Toby Crawley" <toby(a)tcrawley.org&gt; To: "Stuart Douglas" <sdouglas(a)redhat.com&gt; Cc: undertow-dev(a)lists.jboss.org Sent: Tuesday, 1 September, 2015 1:33:29 AM Subject: Re: [undertow-dev] Possible session lookup bug when no session cookie present Okay. I filed https://issues.jboss.org/browse/UNDERTOW-528 On Fri, Aug 28, 2015 at 6:37 PM, Stuart Douglas <sdouglas(a)redhat.com&gt; wrote: > This is a bug. > > Stuart > > ----- Original Message ----- >> From: "Toby Crawley" <toby(a)tcrawley.org&gt; >> To: undertow-dev(a)lists.jboss.org >> Sent: Saturday, 29 August, 2015 4:41:49 AM >> Subject: [undertow-dev] Possible session lookup bug when no session cookie >> present >> >> With this commit[1], calls to Sessions.getOrCreateSession() from >> within a handler where no session cookie was sent with the request >> result in a new Session being created every time, with the last >> Session created actually being the one stored when the exchange is >> completed. >> >> This means that the following in a handler results in "foo" not being >> in the session on the next request: >> >> Sessions.getOrCreateSession(exchange).setAttribute("foo", "bar"); >> Sessions.getOrCreateSession(exchange); >> >> Before [1], the second getOrCreateSession() call would return the same >> Session object as the first call, not overwriting the one already >> attached to the request, and "foo" would be preserved. >> >> I'm not sure if you consider this a bug or not, but wanted to point it >> out just in case. We discovered this in an Immutant test when >> upgrading from undertow 1.1.0, and we were able to work around it with >> a small change to that test. I don't believe this will affect any >> Immutant users, since we handle all Session access for them, and call >> getOrCreateSession() only once during regular operation. >> >> Let me know if you do consider this a bug, and I'll file a JIRA. >> >> - Toby >> >> [1]: >> https://github.com/undertow-io/undertow/commit/a97fec29f379fff6cb5a74ae9a... >> _______________________________________________ >> undertow-dev mailing list >> undertow-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/undertow-dev >>