Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-1006

JSESSIONID not trusted by CachedAuthenticatedSessionHandler

XMLWordPrintable

      As described in this forum post and in the following reproducer application when an HttpSesion is created from a secured call without previous provided JSESSIONID, the generated JSESSIONID is not stable and is regenerated by a next secured call.
      This behavior causes calls failures if several parallel calls are fired behind the first one.

      Why the generated JSESSIONID is not trusted whereas it is issued by a secure call without previous JSESSIONID?

      The only workarounds I have found so far are:

      • make an unnecessary secured call in order to stabilize the JSESSIONID before the parallel calls are fired
      • or deactivate ChangeSessionIdOnLogin feature by the use of an undertow servlet extension (introduction of security issue)

            sdouglas1@redhat.com Stuart Douglas
            matthieu.brouillard_jira Matthieu Brouillard (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: