Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 9.0.0.Beta1
Affects Version/s: 8.1.0.Final, 8.2.0.Final
Component/s: Web (Undertow)
Labels:
None

Steps to Reproduce:
Hide

Store in an @ApplicationScoped managed bean for example an HttpSession instance

In another request, call invalidate() on that HttpSession instance

Notice the "Set-Cookie" header in the response, discarding the cookie of the current session
Show
Store in an @ApplicationScoped managed bean for example an HttpSession instance In another request, call invalidate() on that HttpSession instance Notice the "Set-Cookie" header in the response, discarding the cookie of the current session

Description

When calling invalidate() on a HttpSession object of another session than the current one, the server sends back a "cookie expired" header Set-Cookie: JSESSIONID=XXXXXXXX; path=/; HttpOnly; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 GMT where XXXXXXXX is the session id of the invalidated session.
This results in the current JSESSIONID cookie being discarded by the browser, and the current session being lost.

I was able to narrow the "problem" in io.undertow.servlet.spec.HttpSessionImpl:193 (in Undertow 1.0.15.Final), where the ServletRequestContext is taken from the ThreadLocal storage, returning the current request context instead of null (as the target session is not associated to the current ServletRequestContext )

A workaround is to call invalidate() in a new Thread, so the retrieved ServletRequestContext is null

Attachments

Activity

People

Assignee:: Stuart Douglas

Reporter:: Nicolas Grussenmeyer (Inactive)

Votes:: 1 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2014/12/09 8:48 AM

Updated:: 2017/12/06 11:28 AM

Resolved:: 2015/01/27 7:24 AM