A race condition across multiple requests invoking session invalidate and changeSessionId can result in an invalid session being left in the session map. That session is then leaked and won't ever expire and subsequent requests from the client fail with an error like below until they clear their cookie:
17:35:56,213 ERROR [io.undertow.request] (default task-1) UT005023: Exception handling request to /sessiontest/hi.jsp: java.lang.IllegalStateException: UT000010: Session is invalid yXOeMfuedx29nxgqG59iU9g6OSjWA0Vvevw9xb3W at io.undertow.core@2.2.18.SP2-redhat-00001//io.undertow.server.session.InMemorySessionManager$SessionImpl.getAttribute(InMemorySessionManager.java:548) at io.undertow.servlet@2.2.18.SP2-redhat-00001//io.undertow.servlet.util.SavedRequest.tryRestoreRequest(SavedRequest.java:155) at io.undertow.servlet@2.2.18.SP2-redhat-00001//io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:74) at io.undertow.core@2.2.18.SP2-redhat-00001//io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.core@2.2.18.SP2-redhat-00001//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.core@2.2.18.SP2-redhat-00001//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow@7.4.6.GA-redhat-00002//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.core@2.2.18.SP2-redhat-00001//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow@7.4.6.GA-redhat-00002//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.servlet@2.2.18.SP2-redhat-00001//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52) at io.undertow.core@2.2.18.SP2-redhat-00001//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet@2.2.18.SP2-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:275) at io.undertow.servlet@2.2.18.SP2-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:79) at io.undertow.servlet@2.2.18.SP2-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:134) at io.undertow.servlet@2.2.18.SP2-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:131) at io.undertow.servlet@2.2.18.SP2-redhat-00001//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet@2.2.18.SP2-redhat-00001//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
Timing can play out like so to lead to this:
1. Request A is received and starts session invalidate
2. Request B is received and starts changeSessionId
3. Request A progresses in its invalidate call and removes session from the sessions map
4. Request B reaches createAndSaveNewID and sets the session back in the map
5. Request A sets the session to invalid and returns a reponse clearing the cookie on the client
6. Request B returns, setting the cookie back on the client
7. Request C is sent with the now invalid cookie and hits an error
- clones
-
UNDERTOW-2147 race condition between session invalidate and changeSessionId leads to UT000010
- Closed