Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-14877

Do not allow application to create a new session or change the identifier of a session after response is committed

    XMLWordPrintable

Details

    • Hide

      Steps to reproduce

      0. Extract example.zip, build and deploy example.war

      mvn clean package
      

      1. Send a request that generates a new session with 100 session attributes

      curl -0 -v -b /tmp/curl_cookie.txt -c /tmp/curl_cookie.txt http://${SERVER_NAME}:8080/example/new
      

      2. Send a request that reponds a redirect and regenerate a new session with holding the previous session object

      RegenerateServlet that invokes response.redirect(), then session.invalidate() and request.getSession(true)
      curl -0 -v -b /tmp/curl_cookie.txt -c /tmp/curl_cookie.txt http://${SERVER_NAME}:8080/example/regenerate
      

      or

      ChangeSessionIdServlet that invokes response.redirect(), then request.changeSessionId()
      curl -0 -v -b /tmp/curl_cookie.txt -c /tmp/curl_cookie.txt http://${SERVER_NAME}:8080/example/change
      

      3. Then repeat step 1 and 2

      The newly generated session after step 2 is never expired. Also, activeSessions metrics do not decrease and session objects remain in the heapdump.

       

      You can check activeSessions metrics through /metrics:

      curl -v http://${SERVER_NAME}:9990/metrics | grep -v "^#" | grep jboss_undertow.*sessions | grep example
      

      Also, you can check number of session objects (like "org.wildfly.clustering.web.infinispan.session.SessionCreationMetaDataKey" and "org.wildfly.clustering.web.infinispan.session.fine.SessionAttributeKey") with jmap (or take a heapdump):

      jmap -histo:live $JAVA_PID | grep -e "org.wildfly.clustering.web.*session"
      Show
      Steps to reproduce 0. Extract example.zip, build and deploy example.war mvn clean package 1. Send a request that generates a new session with 100 session attributes curl -0 -v -b /tmp/curl_cookie.txt -c /tmp/curl_cookie.txt http: //${SERVER_NAME}:8080/example/ new 2. Send a request that reponds a redirect and regenerate a new session with holding the previous session object RegenerateServlet that invokes response.redirect(), then session.invalidate() and request.getSession(true) curl -0 -v -b /tmp/curl_cookie.txt -c /tmp/curl_cookie.txt http: //${SERVER_NAME}:8080/example/regenerate or ChangeSessionIdServlet that invokes response.redirect(), then request.changeSessionId() curl -0 -v -b /tmp/curl_cookie.txt -c /tmp/curl_cookie.txt http: //${SERVER_NAME}:8080/example/change 3. Then repeat step 1 and 2 The newly generated session after step 2 is never expired. Also, activeSessions metrics do not decrease and session objects remain in the heapdump.   You can check activeSessions metrics through /metrics: curl -v http: //${SERVER_NAME}:9990/metrics | grep -v "^#" | grep jboss_undertow.*sessions | grep example Also, you can check number of session objects (like "org.wildfly.clustering.web.infinispan.session.SessionCreationMetaDataKey" and "org.wildfly.clustering.web.infinispan.session.fine.SessionAttributeKey") with jmap (or take a heapdump): jmap -histo:live $JAVA_PID | grep -e "org.wildfly.clustering.web.*session"

    Description

      Creating a new session, or changing the identifier of a session, would otherwise result in a session that cannot be referenced - as it is no longer possible to write the requisite JSESSIONID cookie or encode the session identifier in the location header to the response.

      These conditions should result in an ISE.

      Attachments

        Issue Links

          Activity

            People

              pferraro@redhat.com Paul Ferraro
              pferraro@redhat.com Paul Ferraro
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: