-
Bug
-
Resolution: Done
-
Major
-
7.1.4.GA
This issue is very similar to WFLY-10262/JBEAP-14641 but the condition causing the problem is a bit different.
The issue happens when the client sends JSESSIONID Cookie in the request to the web application does NOT use HttpSession. JSESSIONID Set-Cookie response header should not be sent in this scenario, but WildFly/EAP 7 returns the response with JSESSIONID reusing the requested session id which does not exist in the session manager.
The fix for WFLY-10262 / JBEAP-14641 added AttachmentKey SESSION_ID_SET to avoid invoking CodecSessionConfig#setSessionId() more than once. However, the fix does not help for this issue because CodecSessionConfig#setSessionId() is not invoked (= SESSION_ID_SET is null) before the problematic CodecSessionConfig#findSessionId() processing in this scenario.
- causes
-
JBEAP-25557 [GSS](7.4.z) Undertow SSO invalidation fails with UnsupportedOperationException
- Closed
- clones
-
WFLY-10912 CodecSessionConfig#findSessionId() causes an incorrect JSESSIONID Set-Cookie header
- Closed