[jboss-jira] [JBoss JIRA] (WFLY-10266) [GSS](7.1.z) CodecSessionConfig#findSessionId() can cause an incorrect JSESSIONID response cookie reusing a requested non-existent session id

Masafumi Miura (JIRA) issues at jboss.org
Thu Apr 19 06:10:00 EDT 2018 

Masafumi Miura created WFLY-10266:
-------------------------------------

             Summary: [GSS](7.1.z) CodecSessionConfig#findSessionId() can cause an incorrect JSESSIONID response cookie reusing a requested non-existent session id
                 Key: WFLY-10266
                 URL: https://issues.jboss.org/browse/WFLY-10266
             Project: WildFly
          Issue Type: Bug
          Components: Web (Undertow)
    Affects Versions: 12.0.0.Final
            Reporter: Masafumi Miura
            Assignee: Stuart Douglas
             Fix For: 13.0.0.Beta1


When a client sends a request with a non-existent session id to a web application calling "HttpServletRequest#getRequestedSessionId()" or "HttpServletRequest#isRequestedSessionIdValid()", WildFly responds with an incorrect JSESSIONID response cookie reusing the requested non-existent session id even though a new session id is internally generated.

{code:title=a simple reproducer}
<%
out.println("request.getRequestedSessionId() = " + request.getRequestedSessionId());
out.println("request.isRequestedSessionIdValid() = " + request.isRequestedSessionIdValid());
out.println("session.getId() = " + session.getId());
%>
{code}

The following is an example result. WildFly should not respond with "Set-Cookie: JSESSIONID=test.node1" but should respond with a new session id like "Set-Cookie: JSESSIONID=brzJWBXpBnUZelcwnI9HCEbw9X6d0oQ5PypfiwML.node1" in this case. 

{code}
$ curl -v http://node1:8080/test/example.jsp -H "Cookie: JSESSIONID=test"
...
> GET /test/example.jsp HTTP/1.1
> User-Agent: curl/7.29.0
> Host: node1:8080
> Accept: */*
> Cookie: JSESSIONID=test
>
< HTTP/1.1 200 OK
< Connection: keep-alive
< X-Powered-By: JSP/2.3
< Set-Cookie: JSESSIONID=test.node1; path=/test
< Content-Type: text/html;charset=ISO-8859-1
< Content-Length: 143
< Date: Wed, 18 Apr 2018 17:11:58 GMT
<
request.getRequestedSessionId() = test
request.isRequestedSessionIdValid() = false
session.getId() = brzJWBXpBnUZelcwnI9HCEbw9X6d0oQ5PypfiwML
{code}


WildFly "CodecSessionConfig#findSessionId()" is invoked from Undertow "HttpServletRequestImpl#getRequestedSessionId() and isRequestedSessionIdValid()" to obtain the request session id. 

In "CodecSessionConfig#findSessionId()", WildFly checks if the reencoded session id is changed or not (= if an instance-id /jvmRoute information is changed or not), then invokes "this.config.setSessionId(exchange, reencodedSessionId)" to reset session id. Encoding a non-existent session always results in the different reencoded session id, therefore "this.config.setSessionId(exchange, reencodedSessionId)" is always invoked and this issue happens in this scenario.

{code:title=Undertow - servlet/src/main/java/io/undertow/servlet/spec/HttpServletRequestImpl.java}
 349     @Override
 350     public String getRequestedSessionId() {
 351         SessionConfig config = originalServletContext.getSessionConfig();
 352         if(config instanceof ServletContextImpl.ServletContextSessionConfig) {
 353             return ((ServletContextImpl.ServletContextSessionConfig)config).getDelegate().findSessionId(exchange);
 354         }
 355         return config.findSessionId(exchange);
 356     }
  :
 421     @Override
 422     public boolean isRequestedSessionIdValid() {
 423         HttpSessionImpl session = servletContext.getSession(originalServletContext, exchange, false);
 424         if(session == null) {
 425             return false;
 426         }
 427         if(session.isInvalid()) {
 428             return false;
 429         }
 430         return session.getId().equals(getRequestedSessionId());
 431     }
{code}

{code:title=WildFly - undertow/src/main/java/org/wildfly/extension/undertow/session/CodecSessionConfig.java}
 54     @Override
 55     public String findSessionId(HttpServerExchange exchange) {
 56         String encodedSessionId = this.config.findSessionId(exchange);
 57         if (encodedSessionId == null) return null;
 58         String sessionId = this.codec.decode(encodedSessionId);
 59         // Check if the encoding for this session has changed
 60         String reencodedSessionId = this.codec.encode(sessionId);
 61         if (!reencodedSessionId.equals(encodedSessionId)) {
 62             this.config.setSessionId(exchange, reencodedSessionId);
 63         }
 64         return sessionId;
 65     }
{code}





--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list