[jboss-jira] [JBoss JIRA] (WFLY-4165) Invalidating another session removes the JSESSIONID cookie of the current session

Stuart Douglas (JIRA) issues at jboss.org
Thu Dec 11 01:02:39 EST 2014 

    [ https://issues.jboss.org/browse/WFLY-4165?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13026925#comment-13026925 ] 

Stuart Douglas commented on WFLY-4165:
--------------------------------------

Fixed in undertow upstream

> Invalidating another session removes the JSESSIONID cookie of the current session
> ---------------------------------------------------------------------------------
>
>                 Key: WFLY-4165
>                 URL: https://issues.jboss.org/browse/WFLY-4165
>             Project: WildFly
>          Issue Type: Bug
>          Components: Web (Undertow)
>    Affects Versions: 8.1.0.Final, 8.2.0.Final
>         Environment: WildFly 8.1.0.Final and WildFly 8.2.0.Final on Windows 7 x64 
> JDK 8u25
> Session storage set to Cookie
>            Reporter: Nicolas Grussenmeyer
>            Assignee: Stuart Douglas
>
> When calling {{invalidate()}} on a HttpSession object of another session than the current one, the server sends back a "cookie expired" header {{Set-Cookie: JSESSIONID=XXXXXXXX; path=/; HttpOnly; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 GMT}} where XXXXXXXX is the session id of the invalidated session.
> This results in the current JSESSIONID cookie being discarded by the browser, and the current session being lost.
> I was able to narrow the "problem" in {{[io.undertow.servlet.spec.HttpSessionImpl:193|https://github.com/undertow-io/undertow/blob/1.0.15.Final/servlet/src/main/java/io/undertow/servlet/spec/HttpSessionImpl.java#L193]}} (in Undertow 1.0.15.Final), where the ServletRequestContext is taken from the ThreadLocal storage, returning the current request context instead of null (as the target session is not associated to the current ServletRequestContext )
> A workaround is to call {{invalidate()}} in a new Thread, so the retrieved ServletRequestContext is null



--
This message was sent by Atlassian JIRA
(v6.3.8#6338)

More information about the jboss-jira mailing list