[jboss-jira] [JBoss JIRA] (WFLY-10912) CodecSessionConfig#findSessionId() causes an incorrect JSESSIONID Set-Cookie header

[Masafumi Miura (JIRA)]

    [ https://issues.jboss.org/browse/WFLY-10912?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13640349#comment-13640349 ] 

Masafumi Miura commented on WFLY-10912:
---------------------------------------

[~pferraro], I understand the responsibility of the CodecSessionConfig, but WildFly should not respond back with the JSESSIONID Cookie which is not a valid session id. 

> CodecSessionConfig#findSessionId() causes an incorrect JSESSIONID Set-Cookie header
> -----------------------------------------------------------------------------------
>
>                 Key: WFLY-10912
>                 URL: https://issues.jboss.org/browse/WFLY-10912
>             Project: WildFly
>          Issue Type: Bug
>          Components: Web (Undertow)
>    Affects Versions: 13.0.0.Final, 14.0.0.Beta2
>            Reporter: Masafumi Miura
>            Assignee: Paul Ferraro
>
> This issue is very similar to WFLY-10262/JBEAP-14641 but the condition causing the problem is a bit different.
> The issue happens when the client sends JSESSIONID Cookie in the request to the web application does NOT use HttpSession. JSESSIONID Set-Cookie response header should not be sent in this scenario, but WildFly/EAP 7 returns the response with JSESSIONID reusing the requested session id which does not exist in the session manager.
> The fix for WFLY-10262 / JBEAP-14641 added AttachmentKey SESSION_ID_SET to avoid invoking CodecSessionConfig#setSessionId() more than once. However, the fix does not help for this issue because CodecSessionConfig#setSessionId() is not invoked (= SESSION_ID_SET is null) before the problematic CodecSessionConfig#findSessionId() processing in this scenario. 



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)