Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-1902

Undertow allows session creation and session ID change after response is committed.

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • 2.3.0.Final, 2.3.0.Beta1
    • 2.2.8.Final
    • Core
    • None

    Description

      The javadoc for HttpServletRequest.getSession(boolean) indicates:

      To make sure the session is properly maintained, you must call this method before the response is committed. If the container is using cookies to maintain session integrity and is asked to create a new session when the response is committed, an IllegalStateException is thrown.

      However, Undertow will happily create a new session, even if ServletResponse.isCommitted() returns true.  Sessions created after the response is committed cannot be referenced by any client (as we can no longer write a cookie to the response headers, nor encode the session identifier into the redirect location header) - and thus will remain in memory until they expire.  If this new session uses a maxInactiveInterval of 0 (or any negative value), this will cause a permanent memory leak (hence the critical priority). For the same reason, calls to HttpServletRequest.changeSessionId() should also throw an ISE if the response is committed.

      I suggest changing Undertow's default behavior to throw an ISE - in compliance with the servlet spec - but add a DeploymentInfo property to allow applications to tolerate this behavior (for compatibility reasons). This is best handled within Undertow directly, rather than requiring this condition to be handled by individual SessionManager implementations.

      Attachments

        Issue Links

          causes

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-22065 [GSS](7.4.z) Do not allow application to create a new session or change the identifier of a session after response is committed

          • Critical - To be worked on immediately following BLOCKER issues.
          • Verified

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-22066 [GSS](7.3.z) WFLY-14877 - Do not allow application to create a new session or change the identifier of a session after response is committed

          • Critical - To be worked on immediately following BLOCKER issues.
          • Verified

          Bug - A problem that impairs or prevents the functions of the product. WFLY-14877 Do not allow application to create a new session or change the identifier of a session after response is committed

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. WFCORE-6057 Upgrade Undertow to 2.3.0.Final (CVE-2022-2764)

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. WFLY-17017 Upgrade Undertow to 2.3.0.Beta1

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. WFCORE-6056 Upgrade Undertow to 2.3.0.Beta1

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          relates to

          Bug - A problem that impairs or prevents the functions of the product. WFLY-18170 Fix Faces 4.0 TCK failures

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Activity

            People

              pferraro@redhat.com Paul Ferraro
              pferraro@redhat.com Paul Ferraro
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: