[undertow-dev] Possible session lookup bug when no session cookie present
Stuart Douglas
sdouglas at redhat.com
Fri Aug 28 18:37:37 EDT 2015
This is a bug.
Stuart
----- Original Message -----
> From: "Toby Crawley" <toby at tcrawley.org>
> To: undertow-dev at lists.jboss.org
> Sent: Saturday, 29 August, 2015 4:41:49 AM
> Subject: [undertow-dev] Possible session lookup bug when no session cookie present
>
> With this commit[1], calls to Sessions.getOrCreateSession() from
> within a handler where no session cookie was sent with the request
> result in a new Session being created every time, with the last
> Session created actually being the one stored when the exchange is
> completed.
>
> This means that the following in a handler results in "foo" not being
> in the session on the next request:
>
> Sessions.getOrCreateSession(exchange).setAttribute("foo", "bar");
> Sessions.getOrCreateSession(exchange);
>
> Before [1], the second getOrCreateSession() call would return the same
> Session object as the first call, not overwriting the one already
> attached to the request, and "foo" would be preserved.
>
> I'm not sure if you consider this a bug or not, but wanted to point it
> out just in case. We discovered this in an Immutant test when
> upgrading from undertow 1.1.0, and we were able to work around it with
> a small change to that test. I don't believe this will affect any
> Immutant users, since we handle all Session access for them, and call
> getOrCreateSession() only once during regular operation.
>
> Let me know if you do consider this a bug, and I'll file a JIRA.
>
> - Toby
>
> [1]:
> https://github.com/undertow-io/undertow/commit/a97fec29f379fff6cb5a74ae9a39177a9c36d4ae
> _______________________________________________
> undertow-dev mailing list
> undertow-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev
>
More information about the undertow-dev
mailing list