[undertow-dev] Possible session lookup bug when no session cookie present

Stuart Douglas sdouglas at redhat.com
Mon Aug 31 20:45:38 EDT 2015 

I have released 1.2.11.Final with this fix.

Stuart

----- Original Message -----
> From: "Toby Crawley" <toby at tcrawley.org>
> To: "Stuart Douglas" <sdouglas at redhat.com>
> Cc: undertow-dev at lists.jboss.org
> Sent: Tuesday, 1 September, 2015 1:33:29 AM
> Subject: Re: [undertow-dev] Possible session lookup bug when no session cookie present
> 
> Okay. I filed https://issues.jboss.org/browse/UNDERTOW-528
> 
> On Fri, Aug 28, 2015 at 6:37 PM, Stuart Douglas <sdouglas at redhat.com> wrote:
> > This is a bug.
> >
> > Stuart
> >
> > ----- Original Message -----
> >> From: "Toby Crawley" <toby at tcrawley.org>
> >> To: undertow-dev at lists.jboss.org
> >> Sent: Saturday, 29 August, 2015 4:41:49 AM
> >> Subject: [undertow-dev] Possible session lookup bug when no session cookie
> >> present
> >>
> >> With this commit[1], calls to Sessions.getOrCreateSession() from
> >> within a handler where no session cookie was sent with the request
> >> result in a new Session being created every time, with the last
> >> Session created actually being the one stored when the exchange is
> >> completed.
> >>
> >> This means that the following in a handler results in "foo" not being
> >> in the session on the next request:
> >>
> >> Sessions.getOrCreateSession(exchange).setAttribute("foo", "bar");
> >> Sessions.getOrCreateSession(exchange);
> >>
> >> Before [1], the second getOrCreateSession() call would return the same
> >> Session object as the first call, not overwriting the one already
> >> attached to the request, and "foo" would be preserved.
> >>
> >> I'm not sure if you consider this a bug or not, but wanted to point it
> >> out just in case. We discovered this in an Immutant test when
> >> upgrading from undertow 1.1.0, and we were able to work around it with
> >> a small change to that test. I don't believe this will affect any
> >> Immutant users, since we handle all Session access for them, and call
> >> getOrCreateSession() only once during regular operation.
> >>
> >> Let me know if you do consider this a bug, and I'll file a JIRA.
> >>
> >> - Toby
> >>
> >> [1]:
> >> https://github.com/undertow-io/undertow/commit/a97fec29f379fff6cb5a74ae9a39177a9c36d4ae
> >> _______________________________________________
> >> undertow-dev mailing list
> >> undertow-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/undertow-dev
> >>
>

More information about the undertow-dev mailing list