Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-9707

(7.0.x) UNDERTOW-1006 - JSESSIONID not trusted by CachedAuthenticatedSessionHandler

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 7.0.6.GA, 7.0.7.CR1, 7.0.7.GA
    • None
    • None
    • None
    • EAP 7.0.7

      As described in this forum post and in the following reproducer application when an HttpSesion is created from a secured call without previous provided JSESSIONID, the generated JSESSIONID is not stable and is regenerated by a next secured call.
      This behavior causes calls failures if several parallel calls are fired behind the first one.

      Why the generated JSESSIONID is not trusted whereas it is issued by a secure call without previous JSESSIONID?

      The only workarounds I have found so far are:

      • make an unnecessary secured call in order to stabilize the JSESSIONID before the parallel calls are fired
      • or deactivate ChangeSessionIdOnLogin feature by the use of an undertow servlet extension (introduction of security issue)

              sdouglas1@redhat.com Stuart Douglas (Inactive)
              sdouglas1@redhat.com Stuart Douglas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: