Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-10912

CodecSessionConfig#findSessionId() causes an incorrect JSESSIONID Set-Cookie header

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • 13.0.0.Final, 14.0.0.Beta2
    • None
    • Web (Undertow)
    • None
    • Hide

      1. Deploy web application which has a simple index.html

      $ cd $JBOSS_HOME
      $ mkdir standalone/deployments/test.war/
      $ echo "<h1>hello</h1>" > standalone/deployments/test.war/index.html
      $ touch standalone/deployments/test.war.dodeploy
      

      2. Start WildFly/EAP 7

      $ ./bin/standalone.sh
      

      3. Access the page with JSESSIONID

      $ curl -v http://localhost:8080/test/index.html -H "Cookie: JSESSIONID=foobar"
      

      Then, WildFly/EAP 7 responds with "Set-Cookie: JSESSIONID=foobar.<instance-id>; path=/test".

      The expected behavior is that WildFly/EAP 7 should respond without JSESSIONID Set-Cookie header.

      Show
      1. Deploy web application which has a simple index.html $ cd $JBOSS_HOME $ mkdir standalone/deployments/test.war/ $ echo "<h1>hello</h1>" > standalone/deployments/test.war/index.html $ touch standalone/deployments/test.war.dodeploy 2. Start WildFly/EAP 7 $ ./bin/standalone.sh 3. Access the page with JSESSIONID $ curl -v http: //localhost:8080/test/index.html -H "Cookie: JSESSIONID=foobar" Then, WildFly/EAP 7 responds with "Set-Cookie: JSESSIONID=foobar.<instance-id>; path=/test". The expected behavior is that WildFly/EAP 7 should respond without JSESSIONID Set-Cookie header.

    Description

      This issue is very similar to WFLY-10262/JBEAP-14641 but the condition causing the problem is a bit different.

      The issue happens when the client sends JSESSIONID Cookie in the request to the web application does NOT use HttpSession. JSESSIONID Set-Cookie response header should not be sent in this scenario, but WildFly/EAP 7 returns the response with JSESSIONID reusing the requested session id which does not exist in the session manager.

      The fix for WFLY-10262 / JBEAP-14641 added AttachmentKey SESSION_ID_SET to avoid invoking CodecSessionConfig#setSessionId() more than once. However, the fix does not help for this issue because CodecSessionConfig#setSessionId() is not invoked (= SESSION_ID_SET is null) before the problematic CodecSessionConfig#findSessionId() processing in this scenario.

      Attachments

        Issue Links

          Activity

            People

              pferraro@redhat.com Paul Ferraro
              rhn-support-mmiura Masafumi Miura
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated: