Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-478

request.isRequestedSessionIdValid() returns true even when requested session has expired

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 1.3.0.Beta3
    • 1.2.7.Final
    • Servlet
    • None
    • Hide

      This is servlet code I used to reproduce it:

      package org.jboss.qa.management.web.resources;
      
      import java.io.IOException;
      import java.io.PrintWriter;
      
      import javax.servlet.ServletException;
      import javax.servlet.annotation.WebServlet;
      import javax.servlet.http.HttpServlet;
      import javax.servlet.http.HttpServletRequest;
      import javax.servlet.http.HttpServletResponse;
      import javax.servlet.http.HttpSession;
      
      /**
       * Created by rhatlapa on 10/14/14.
       */
      
      @WebServlet(name="SessionTimeoutCheck", urlPatterns={"/SessionTimeoutCheck"})
      public class SessionTimeoutCheckServlet extends HttpServlet {
      
          @Override
          protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
              HttpSession session = request.getSession();
              response.setContentType("text/html");
      
              PrintWriter out = response.getWriter();
              out.write("Current session ID: " + session.getId());
              out.write("<br />\n");
              out.write("Requested session ID " + request.getRequestedSessionId());
              out.write("<br />\n");
              if (request.getRequestedSessionId() != null) {
                  if (request.isRequestedSessionIdValid()) {
                      out.write("Valid session");
                  } else {
                      out.write("Session expired");
                  }
              } else {
                  out.write("No sessionId specified => new session");
              }
          }
      }
      

      Then set session timetout to minimum value:

      /subsystem=undertow/servlet-container=default:write-attribute(name=default-session-timeout,value=1)
      reload
      

      Try various requests on:

      localhost:8080/[warname]/SessionTimeoutCheck
      

      to see that even when session has expired the "Valid session" text appears on the page.

      Show
      This is servlet code I used to reproduce it: package org.jboss.qa.management.web.resources; import java.io.IOException; import java.io.PrintWriter; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; /** * Created by rhatlapa on 10/14/14. */ @WebServlet(name= "SessionTimeoutCheck" , urlPatterns={ "/SessionTimeoutCheck" }) public class SessionTimeoutCheckServlet extends HttpServlet { @Override protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { HttpSession session = request.getSession(); response.setContentType( "text/html" ); PrintWriter out = response.getWriter(); out.write( "Current session ID: " + session.getId()); out.write( "<br />\n" ); out.write( "Requested session ID " + request.getRequestedSessionId()); out.write( "<br />\n" ); if (request.getRequestedSessionId() != null ) { if (request.isRequestedSessionIdValid()) { out.write( "Valid session" ); } else { out.write( "Session expired" ); } } else { out.write( "No sessionId specified => new session" ); } } } Then set session timetout to minimum value: /subsystem=undertow/servlet-container= default :write-attribute(name= default -session-timeout,value=1) reload Try various requests on: localhost:8080/[warname]/SessionTimeoutCheck to see that even when session has expired the "Valid session" text appears on the page.

      When calling

      request.isRequestedSessionIdValid()
      

      in servlet code then this method returns true even when particular requested session has expired and now is used different session.

      Expected behaviour:

      • return true if current valid session is same as requested by client in preceding request
      • return false if current valid session is different (new) from the one requested by client in preceding request

      Not sure but probably source of the problem might be in implementation of that method here:
      https://github.com/undertow-io/undertow/blob/90789748d3b493d7a233a4ef5ba8ae33032c1543/servlet/src/main/java/io/undertow/servlet/spec/HttpServletRequestImpl.java#L377

              sdouglas1@redhat.com Stuart Douglas (Inactive)
              jstourac@redhat.com Jan Stourac
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: