-
Bug
-
Resolution: Done
-
Major
-
12.0.0.Final
-
None
When a client sends a request with a non-existent session id to a web application calling "HttpServletRequest#getRequestedSessionId()" or "HttpServletRequest#isRequestedSessionIdValid()", WildFly responds with an incorrect JSESSIONID response cookie reusing the requested non-existent session id even though a new session id is internally generated.
<% out.println("request.getRequestedSessionId() = " + request.getRequestedSessionId()); out.println("request.isRequestedSessionIdValid() = " + request.isRequestedSessionIdValid()); out.println("session.getId() = " + session.getId()); %>
The following is an example result. WildFly should not respond with "Set-Cookie: JSESSIONID=test.node1" but should respond with a new session id like "Set-Cookie: JSESSIONID=brzJWBXpBnUZelcwnI9HCEbw9X6d0oQ5PypfiwML.node1" in this case.
$ curl -v http://node1:8080/test/example.jsp -H "Cookie: JSESSIONID=test" ... > GET /test/example.jsp HTTP/1.1 > User-Agent: curl/7.29.0 > Host: node1:8080 > Accept: */* > Cookie: JSESSIONID=test > < HTTP/1.1 200 OK < Connection: keep-alive < X-Powered-By: JSP/2.3 < Set-Cookie: JSESSIONID=test.node1; path=/test < Content-Type: text/html;charset=ISO-8859-1 < Content-Length: 143 < Date: Wed, 18 Apr 2018 17:11:58 GMT < request.getRequestedSessionId() = test request.isRequestedSessionIdValid() = false session.getId() = brzJWBXpBnUZelcwnI9HCEbw9X6d0oQ5PypfiwML
WildFly "CodecSessionConfig#findSessionId()" is invoked from Undertow "HttpServletRequestImpl#getRequestedSessionId() and isRequestedSessionIdValid()" to obtain the request session id.
In "CodecSessionConfig#findSessionId()", WildFly checks if the reencoded session id is changed or not (= if an instance-id /jvmRoute information is changed or not), then invokes "this.config.setSessionId(exchange, reencodedSessionId)" to reset session id. Encoding a non-existent session always results in the different reencoded session id, therefore "this.config.setSessionId(exchange, reencodedSessionId)" is always invoked and this issue happens in this scenario.
349 @Override 350 public String getRequestedSessionId() { 351 SessionConfig config = originalServletContext.getSessionConfig(); 352 if(config instanceof ServletContextImpl.ServletContextSessionConfig) { 353 return ((ServletContextImpl.ServletContextSessionConfig)config).getDelegate().findSessionId(exchange); 354 } 355 return config.findSessionId(exchange); 356 } : 421 @Override 422 public boolean isRequestedSessionIdValid() { 423 HttpSessionImpl session = servletContext.getSession(originalServletContext, exchange, false); 424 if(session == null) { 425 return false; 426 } 427 if(session.isInvalid()) { 428 return false; 429 } 430 return session.getId().equals(getRequestedSessionId()); 431 }
54 @Override 55 public String findSessionId(HttpServerExchange exchange) { 56 String encodedSessionId = this.config.findSessionId(exchange); 57 if (encodedSessionId == null) return null; 58 String sessionId = this.codec.decode(encodedSessionId); 59 // Check if the encoding for this session has changed 60 String reencodedSessionId = this.codec.encode(sessionId); 61 if (!reencodedSessionId.equals(encodedSessionId)) { 62 this.config.setSessionId(exchange, reencodedSessionId); 63 } 64 return sessionId; 65 }
- is cloned by
-
JBEAP-14641 [GSS](7.1.z) CodecSessionConfig#findSessionId() can cause an incorrect JSESSIONID response cookie reusing a requested non-existent session id
- Closed