[jboss-jira] [JBoss JIRA] (WFLY-4165) Invalidating another session removes the JSESSIONID cookie of the current session
Nicolas Grussenmeyer (JIRA)
issues at jboss.org
Tue Dec 9 08:48:40 EST 2014
Nicolas Grussenmeyer created WFLY-4165:
------------------------------------------
Summary: Invalidating another session removes the JSESSIONID cookie of the current session
Key: WFLY-4165
URL: https://issues.jboss.org/browse/WFLY-4165
Project: WildFly
Issue Type: Bug
Components: Web (Undertow)
Affects Versions: 8.2.0.Final, 8.1.0.Final
Environment: WildFly 8.1.0.Final and WildFly 8.2.0.Final on Windows 7 x64
JDK 8u25
Session storage set to Cookie
Reporter: Nicolas Grussenmeyer
Assignee: Stuart Douglas
When calling {{invalidate()}} on a HttpSession object of another session than the current one, the server sends back a "cookie expired" header {{Set-Cookie: JSESSIONID=XXXXXXXX; path=/; HttpOnly; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 GMT}} where XXXXXXXX is the session id of the invalidated session.
This results in the current JSESSIONID cookie being discarded by the browser, and the current session being lost.
I was able to narrow the "problem" in {{io.undertow.servlet.spec.HttpSessionImpl:193}} (in Undertow 1.0.15.Final), where the ServletRequestContext is taken from the ThreadLocal storage, returning the current request context instead of null (as the target session is not associated to the current ServletRequestContext )
A workaround is to call {{invalidate()}} in a new Thread, so the retrieved ServletRequestContext is null
--
This message was sent by Atlassian JIRA
(v6.3.8#6338)
More information about the jboss-jira
mailing list