Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-1006

JSESSIONID not trusted by CachedAuthenticatedSessionHandler

XMLWordPrintable

      As described in this forum post and in the following reproducer application when an HttpSesion is created from a secured call without previous provided JSESSIONID, the generated JSESSIONID is not stable and is regenerated by a next secured call.
      This behavior causes calls failures if several parallel calls are fired behind the first one.

      Why the generated JSESSIONID is not trusted whereas it is issued by a secure call without previous JSESSIONID?

      The only workarounds I have found so far are:

      • make an unnecessary secured call in order to stabilize the JSESSIONID before the parallel calls are fired
      • or deactivate ChangeSessionIdOnLogin feature by the use of an undertow servlet extension (introduction of security issue)

              sdouglas1@redhat.com Stuart Douglas (Inactive)
              matthieu.brouillard_jira Matthieu Brouillard (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: