[jboss-jira] [JBoss JIRA] (WFLY-10262) CodecSessionConfig#findSessionId() can cause an incorrect JSESSIONID response cookie reusing a requested non-existent session id

Stuart Douglas (JIRA) issues at jboss.org
Thu Apr 19 00:12:00 EDT 2018 

     [ https://issues.jboss.org/browse/WFLY-10262?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stuart Douglas updated WFLY-10262:
----------------------------------
    Security:     (was: Red Hat Internal)


> CodecSessionConfig#findSessionId() can cause an incorrect JSESSIONID response cookie reusing a requested non-existent session id
> --------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: WFLY-10262
>                 URL: https://issues.jboss.org/browse/WFLY-10262
>             Project: WildFly
>          Issue Type: Bug
>          Components: Web (Undertow)
>    Affects Versions: 12.0.0.Final
>            Reporter: Masafumi Miura
>            Assignee: Stuart Douglas
>
> When a client sends a request with a non-existent session id to a web application calling "HttpServletRequest#getRequestedSessionId()" or "HttpServletRequest#isRequestedSessionIdValid()", WildFly responds with an incorrect JSESSIONID response cookie reusing the requested non-existent session id even though a new session id is internally generated.
> {code:title=a simple reproducer}
> <%
> out.println("request.getRequestedSessionId() = " + request.getRequestedSessionId());
> out.println("request.isRequestedSessionIdValid() = " + request.isRequestedSessionIdValid());
> out.println("session.getId() = " + session.getId());
> %>
> {code}
> The following is an example result. WildFly should not respond with "Set-Cookie: JSESSIONID=test.node1" but should respond with a new session id like "Set-Cookie: JSESSIONID=brzJWBXpBnUZelcwnI9HCEbw9X6d0oQ5PypfiwML.node1" in this case. 
> {code}
> $ curl -v http://node1:8080/test/example.jsp -H "Cookie: JSESSIONID=test"
> ...
> > GET /test/example.jsp HTTP/1.1
> > User-Agent: curl/7.29.0
> > Host: node1:8080
> > Accept: */*
> > Cookie: JSESSIONID=test
> >
> < HTTP/1.1 200 OK
> < Connection: keep-alive
> < X-Powered-By: JSP/2.3
> < Set-Cookie: JSESSIONID=test.node1; path=/test
> < Content-Type: text/html;charset=ISO-8859-1
> < Content-Length: 143
> < Date: Wed, 18 Apr 2018 17:11:58 GMT
> <
> request.getRequestedSessionId() = test
> request.isRequestedSessionIdValid() = false
> session.getId() = brzJWBXpBnUZelcwnI9HCEbw9X6d0oQ5PypfiwML
> {code}
> WildFly "CodecSessionConfig#findSessionId()" is invoked from Undertow "HttpServletRequestImpl#getRequestedSessionId() and isRequestedSessionIdValid()" to obtain the request session id. 
> In "CodecSessionConfig#findSessionId()", WildFly checks if the reencoded session id is changed or not (= if an instance-id /jvmRoute information is changed or not), then invokes "this.config.setSessionId(exchange, reencodedSessionId)" to reset session id. Encoding a non-existent session always results in the different reencoded session id, therefore "this.config.setSessionId(exchange, reencodedSessionId)" is always invoked and this issue happens in this scenario.
> {code:title=Undertow - servlet/src/main/java/io/undertow/servlet/spec/HttpServletRequestImpl.java}
>  349     @Override
>  350     public String getRequestedSessionId() {
>  351         SessionConfig config = originalServletContext.getSessionConfig();
>  352         if(config instanceof ServletContextImpl.ServletContextSessionConfig) {
>  353             return ((ServletContextImpl.ServletContextSessionConfig)config).getDelegate().findSessionId(exchange);
>  354         }
>  355         return config.findSessionId(exchange);
>  356     }
>   :
>  421     @Override
>  422     public boolean isRequestedSessionIdValid() {
>  423         HttpSessionImpl session = servletContext.getSession(originalServletContext, exchange, false);
>  424         if(session == null) {
>  425             return false;
>  426         }
>  427         if(session.isInvalid()) {
>  428             return false;
>  429         }
>  430         return session.getId().equals(getRequestedSessionId());
>  431     }
> {code}
> {code:title=WildFly - undertow/src/main/java/org/wildfly/extension/undertow/session/CodecSessionConfig.java}
>  54     @Override
>  55     public String findSessionId(HttpServerExchange exchange) {
>  56         String encodedSessionId = this.config.findSessionId(exchange);
>  57         if (encodedSessionId == null) return null;
>  58         String sessionId = this.codec.decode(encodedSessionId);
>  59         // Check if the encoding for this session has changed
>  60         String reencodedSessionId = this.codec.encode(sessionId);
>  61         if (!reencodedSessionId.equals(encodedSessionId)) {
>  62             this.config.setSessionId(exchange, reencodedSessionId);
>  63         }
>  64         return sessionId;
>  65     }
> {code}



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list