Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-15303

[GSS](7.4.z) WFLY-10912 - CodecSessionConfig#findSessionId() causes an incorrect JSESSIONID Set-Cookie header

XMLWordPrintable

    • +
    • Hide

      1. Deploy web application which has a simple index.html

      $ cd $JBOSS_HOME
      $ mkdir standalone/deployments/test.war/
      $ echo "<h1>hello</h1>" > standalone/deployments/test.war/index.html
      $ touch standalone/deployments/test.war.dodeploy
      

      2. Start WildFly/EAP 7

      $ ./bin/standalone.sh
      

      3. Access the page with JSESSIONID

      $ curl -v http://localhost:8080/test/index.html -H "Cookie: JSESSIONID=foobar"
      

      Then, WildFly/EAP 7 responds with "Set-Cookie: JSESSIONID=foobar.<instance-id>; path=/test".

      The expected behavior is that WildFly/EAP 7 should respond without JSESSIONID Set-Cookie header.

      Show
      1. Deploy web application which has a simple index.html $ cd $JBOSS_HOME $ mkdir standalone/deployments/test.war/ $ echo "<h1>hello</h1>" > standalone/deployments/test.war/index.html $ touch standalone/deployments/test.war.dodeploy 2. Start WildFly/EAP 7 $ ./bin/standalone.sh 3. Access the page with JSESSIONID $ curl -v http: //localhost:8080/test/index.html -H "Cookie: JSESSIONID=foobar" Then, WildFly/EAP 7 responds with "Set-Cookie: JSESSIONID=foobar.<instance-id>; path=/test". The expected behavior is that WildFly/EAP 7 should respond without JSESSIONID Set-Cookie header.

      This issue is very similar to WFLY-10262/JBEAP-14641 but the condition causing the problem is a bit different.

      The issue happens when the client sends JSESSIONID Cookie in the request to the web application does NOT use HttpSession. JSESSIONID Set-Cookie response header should not be sent in this scenario, but WildFly/EAP 7 returns the response with JSESSIONID reusing the requested session id which does not exist in the session manager.

      The fix for WFLY-10262 / JBEAP-14641 added AttachmentKey SESSION_ID_SET to avoid invoking CodecSessionConfig#setSessionId() more than once. However, the fix does not help for this issue because CodecSessionConfig#setSessionId() is not invoked (= SESSION_ID_SET is null) before the problematic CodecSessionConfig#findSessionId() processing in this scenario.

            pferraro@redhat.com Paul Ferraro
            rhn-support-mmiura Masafumi Miura
            Petr Adamec Petr Adamec
            Petr Adamec Petr Adamec
            Votes:
            0 Vote for this issue
            Watchers:
            13 Start watching this issue

              Created:
              Updated:
              Resolved: