Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-15303

[GSS](7.4.z) WFLY-10912 - CodecSessionConfig#findSessionId() causes an incorrect JSESSIONID Set-Cookie header

    XMLWordPrintable

Details

    • +
    • Hide

      1. Deploy web application which has a simple index.html

      $ cd $JBOSS_HOME
$ mkdir standalone/deployments/test.war/
$ echo "<h1>hello</h1>" > standalone/deployments/test.war/index.html
$ touch standalone/deployments/test.war.dodeploy

      2. Start WildFly/EAP 7

      $ ./bin/standalone.sh

      3. Access the page with JSESSIONID

      $ curl -v http://localhost:8080/test/index.html -H "Cookie: JSESSIONID=foobar"

      Then, WildFly/EAP 7 responds with "Set-Cookie: JSESSIONID=foobar.<instance-id>; path=/test".

      The expected behavior is that WildFly/EAP 7 should respond without JSESSIONID Set-Cookie header.

      Show
      1. Deploy web application which has a simple index.html $ cd $JBOSS_HOME $ mkdir standalone/deployments/test.war/ $ echo "<h1>hello</h1>" > standalone/deployments/test.war/index.html $ touch standalone/deployments/test.war.dodeploy 2. Start WildFly/EAP 7 $ ./bin/standalone.sh 3. Access the page with JSESSIONID $ curl -v http: //localhost:8080/test/index.html -H "Cookie: JSESSIONID=foobar" Then, WildFly/EAP 7 responds with "Set-Cookie: JSESSIONID=foobar.<instance-id>; path=/test". The expected behavior is that WildFly/EAP 7 should respond without JSESSIONID Set-Cookie header.

    Description

      This issue is very similar to WFLY-10262/JBEAP-14641 but the condition causing the problem is a bit different.

      The issue happens when the client sends JSESSIONID Cookie in the request to the web application does NOT use HttpSession. JSESSIONID Set-Cookie response header should not be sent in this scenario, but WildFly/EAP 7 returns the response with JSESSIONID reusing the requested session id which does not exist in the session manager.

      The fix for WFLY-10262 / JBEAP-14641 added AttachmentKey SESSION_ID_SET to avoid invoking CodecSessionConfig#setSessionId() more than once. However, the fix does not help for this issue because CodecSessionConfig#setSessionId() is not invoked (= SESSION_ID_SET is null) before the problematic CodecSessionConfig#findSessionId() processing in this scenario.

      Attachments

        Issue Links

          causes

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-25557 [GSS](7.4.z) Undertow SSO invalidation fails with UnsupportedOperationException

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified
          clones

          Bug - A problem that impairs or prevents the functions of the product. WFLY-10912 CodecSessionConfig#findSessionId() causes an incorrect JSESSIONID Set-Cookie header

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              pferraro@redhat.com Paul Ferraro
              rhn-support-mmiura Masafumi Miura
              Petr Adamec Petr Adamec
              Petr Adamec Petr Adamec
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: