[jboss-jira] [JBoss JIRA] (WFLY-6278) Requesting a session with an unexpected character causes request to fail
Paul Ferraro (JIRA)
issues at jboss.org
Wed Feb 24 17:16:03 EST 2016
[ https://issues.jboss.org/browse/WFLY-6278?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Paul Ferraro updated WFLY-6278:
-------------------------------
Priority: Blocker (was: Critical)
> Requesting a session with an unexpected character causes request to fail
> ------------------------------------------------------------------------
>
> Key: WFLY-6278
> URL: https://issues.jboss.org/browse/WFLY-6278
> Project: WildFly
> Issue Type: Bug
> Components: Clustering, Web (Undertow)
> Affects Versions: 10.0.0.Final
> Reporter: Paul Ferraro
> Assignee: Paul Ferraro
> Priority: Blocker
>
> The root cause of the problem is that the distributed web session code optimizes the marshalling of the session identifier, by using a URL safe Base64 codec. Because this marshalling happens transparently, when Cache.get(...) goes remote (since the session ID containing an invalid character will never be found locally), the resulting IllegalArgumentException goes undetected - and propagates back to the client.
> To prevent this, we need to validate that the requested session ID can be serialized - and if not, respond as if the session was not found.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list