Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-22065

[GSS](7.4.z) Do not allow application to create a new session or change the identifier of a session after response is committed

XMLWordPrintable

    • False
    • False
    • +
    • Undefined
    • Hide

      Steps to reproduce

      0. Extract example.zip, build and deploy example.war

      mvn clean package
      

      1. Send a request that generates a new session with 100 session attributes

      curl -0 -v -b /tmp/curl_cookie.txt -c /tmp/curl_cookie.txt http://${SERVER_NAME}:8080/example/new
      

      2. Send a request that reponds a redirect and regenerate a new session with holding the previous session object

      RegenerateServlet that invokes response.redirect(), then session.invalidate() and request.getSession(true)
      curl -0 -v -b /tmp/curl_cookie.txt -c /tmp/curl_cookie.txt http://${SERVER_NAME}:8080/example/regenerate
      

      or

      ChangeSessionIdServlet that invokes response.redirect(), then request.changeSessionId()
      curl -0 -v -b /tmp/curl_cookie.txt -c /tmp/curl_cookie.txt http://${SERVER_NAME}:8080/example/change
      

      3. Then repeat step 1 and 2

      The newly generated session after step 2 is never expired. Also, activeSessions metrics do not decrease and session objects remain in the heapdump.

      You can check activeSessions metrics through /metrics:

      curl -v http://${SERVER_NAME}:9990/metrics | grep -v "^#" | grep jboss_undertow.*sessions | grep example
      

      Also, you can check number of session objects (like "org.wildfly.clustering.web.infinispan.session.SessionCreationMetaDataKey" and "org.wildfly.clustering.web.infinispan.session.fine.SessionAttributeKey") with jmap (or take a heapdump):

      jmap -histo:live $JAVA_PID | grep -e "org.wildfly.clustering.web.*session"
      Show
      Steps to reproduce 0. Extract example.zip, build and deploy example.war mvn clean package 1. Send a request that generates a new session with 100 session attributes curl -0 -v -b /tmp/curl_cookie.txt -c /tmp/curl_cookie.txt http: //${SERVER_NAME}:8080/example/ new 2. Send a request that reponds a redirect and regenerate a new session with holding the previous session object RegenerateServlet that invokes response.redirect(), then session.invalidate() and request.getSession(true) curl -0 -v -b /tmp/curl_cookie.txt -c /tmp/curl_cookie.txt http: //${SERVER_NAME}:8080/example/regenerate or ChangeSessionIdServlet that invokes response.redirect(), then request.changeSessionId() curl -0 -v -b /tmp/curl_cookie.txt -c /tmp/curl_cookie.txt http: //${SERVER_NAME}:8080/example/change 3. Then repeat step 1 and 2 The newly generated session after step 2 is never expired. Also, activeSessions metrics do not decrease and session objects remain in the heapdump. You can check activeSessions metrics through /metrics: curl -v http: //${SERVER_NAME}:9990/metrics | grep -v "^#" | grep jboss_undertow.*sessions | grep example Also, you can check number of session objects (like "org.wildfly.clustering.web.infinispan.session.SessionCreationMetaDataKey" and "org.wildfly.clustering.web.infinispan.session.fine.SessionAttributeKey") with jmap (or take a heapdump): jmap -histo:live $JAVA_PID | grep -e "org.wildfly.clustering.web.*session"

      Creating a new session, or changing the identifier of a session, would otherwise result in a session that cannot be referenced - as it is no longer possible to write the requisite JSESSIONID cookie or encode the location header to the response.

      These conditions should result in an ISE.

              pferraro@redhat.com Paul Ferraro
              pferraro@redhat.com Paul Ferraro
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: