Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-1790

UT000010: Session is invalid due to Spring's session fixation strategy

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 2.0.21.Final
    • Fix Version/s: None
    • Component/s: Core
    • Labels:
      None
    • Steps to Reproduce:
      Hide

      We use a vanilla Wildfly 17.0.1.Final release in standalone mode.
      Have a servlet that changes the http session ID via HttpServletRequest.changeSessionId() and fire multiple concurrent requests against the server using an stateful cookie manager.
      See attached InMemorySessionTestCase.java for a unit test.

      Show
      We use a vanilla Wildfly 17.0.1.Final release in standalone mode. Have a servlet that changes the http session ID via HttpServletRequest.changeSessionId() and fire multiple concurrent requests against the server using an stateful cookie manager. See attached  InMemorySessionTestCase.java  for a unit test.
    • Workaround:
      Workaround Exists
    • Workaround Description:
      Hide

      use Spring's NullAuthenticatedSessionStrategy

      Show
      use Spring's  NullAuthenticatedSessionStrategy

      Description

      We discovered that InMemorySessionManager.SessionImpl.changeSessionId(HttpServerExchange, SessionConfig) is not thread safe.

       

      The issue arose in conjunction with Spring's ChangeSessionIdAuthenticationStrategy, which changes the HTTP session ID for each request. When we now get concurrent requests with the same session in Wildfly 17.0.1 it manages to corrupt the sessions map in InMemorySessionManager leading to UT000010: Session is invalid Exceptions and a memory leak.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                flavia.rainone Flavia Rainone
                Reporter:
                pressenna Pressenna Sockalingasamy
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: