-
Bug
-
Resolution: Done
-
Critical
-
2.2.18.SP2
-
None
A race condition across multiple requests invoking session invalidate and changeSessionId can result in an invalid session being left in the session map. That session is then leaked and won't ever expire and subsequent requests from the client fail with an error like below until they clear their cookie:
17:35:56,213 ERROR [io.undertow.request] (default task-1) UT005023: Exception handling request to /sessiontest/hi.jsp: java.lang.IllegalStateException: UT000010: Session is invalid yXOeMfuedx29nxgqG59iU9g6OSjWA0Vvevw9xb3W at io.undertow.core@2.2.18.SP2-redhat-00001//io.undertow.server.session.InMemorySessionManager$SessionImpl.getAttribute(InMemorySessionManager.java:548) at io.undertow.servlet@2.2.18.SP2-redhat-00001//io.undertow.servlet.util.SavedRequest.tryRestoreRequest(SavedRequest.java:155) at io.undertow.servlet@2.2.18.SP2-redhat-00001//io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:74) at io.undertow.core@2.2.18.SP2-redhat-00001//io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.core@2.2.18.SP2-redhat-00001//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.core@2.2.18.SP2-redhat-00001//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow@7.4.6.GA-redhat-00002//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.core@2.2.18.SP2-redhat-00001//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow@7.4.6.GA-redhat-00002//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.servlet@2.2.18.SP2-redhat-00001//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52) at io.undertow.core@2.2.18.SP2-redhat-00001//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet@2.2.18.SP2-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:275) at io.undertow.servlet@2.2.18.SP2-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:79) at io.undertow.servlet@2.2.18.SP2-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:134) at io.undertow.servlet@2.2.18.SP2-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:131) at io.undertow.servlet@2.2.18.SP2-redhat-00001//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet@2.2.18.SP2-redhat-00001//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
Timing can play out like so to lead to this:
1. Request A is received and starts session invalidate
2. Request B is received and starts changeSessionId
3. Request A progresses in its invalidate call and removes session from the sessions map
4. Request B reaches createAndSaveNewID and sets the session back in the map
5. Request A sets the session to invalid and returns a reponse clearing the cookie on the client
6. Request B returns, setting the cookie back on the client
7. Request C is sent with the now invalid cookie and hits an error
- is cloned by
-
JBEAP-23929 [GSS](7.4.z) UNDERTOW-2147 - race condition between session invalidate and changeSessionId leads to UT000010
- Closed
- is incorporated by
-
WFCORE-6057 Upgrade Undertow to 2.3.0.Final (CVE-2022-2764)
- Closed
-
WFLY-17017 Upgrade Undertow to 2.3.0.Beta1
- Closed
-
WFCORE-6056 Upgrade Undertow to 2.3.0.Beta1
- Closed
-
WFLY-17107 Upgrade Undertow legacy to 2.2.20.Final
- Closed
- relates to
-
UNDERTOW-1790 UT000010: Session is invalid due to concurrent calls changeSessionId() calls on same session
- Resolved