Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: 2.2.12.Final, 2.2.33.Final
Affects Version/s: 2.2.17.Final
Component/s: Core
Labels:
None

Git Pull Request:
https://github.com/undertow-io/undertow/pull/1380, https://github.com/undertow-io/undertow/pull/1470

Description

since ~~UNDERTOW-1489UNDERTOW-1612UNDERTOW-1676~~ support for multiple cookies with the same name but different path settings are supported.

If you have multiple webapps in one (wildfly) ear each app registers its own SessionCookieConfig instance with the related path. ( In our case one under root "/" and one under "/theapp".

While logging in in 2 browser tabs 2 JSESSIONID cookies with different path are created.

But preceding calls of "/theapp"-APP returns the wrong sessionid ( the one of "/" ).

So all those calls to protected resources under "/theapp" fails dues to "no session attached"

To get the sessionId the system calls "getRequestCookie()" on HttpServerExchange with this impl:

public Cookie getRequestCookie(final String name) {
         if (name == null) return null;
         for (Cookie cookie : requestCookies()) {
             if (name.equals(cookie.getName())) {
                // TODO: QUESTION: Shouldn't we check instead of just name also
                // TODO  requestPath (stored in this exchange request path) and
                // TODO: domain (stored in Host HTTP header).  
                return cookie;
             }
         }
         return null;
     }

So I think the path must be checked here as well, or?

Attachments

Issue Links

is blocked by

UNDERTOW-2194 Cookie parsing/assembling does not work 100% correctly.

Pull Request Sent

Activity

People

Assignee:: Bartosz Baranowski

Reporter:: Markus Lutum (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2022/08/31 8:23 AM

Updated:: 2024/04/19 4:20 AM