Details
-
Bug
-
Resolution: Done
-
Major
-
8.1.0.Final, 8.2.0.Final
-
None
Description
When calling invalidate() on a HttpSession object of another session than the current one, the server sends back a "cookie expired" header Set-Cookie: JSESSIONID=XXXXXXXX; path=/; HttpOnly; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 GMT where XXXXXXXX is the session id of the invalidated session.
This results in the current JSESSIONID cookie being discarded by the browser, and the current session being lost.
I was able to narrow the "problem" in io.undertow.servlet.spec.HttpSessionImpl:193 (in Undertow 1.0.15.Final), where the ServletRequestContext is taken from the ThreadLocal storage, returning the current request context instead of null (as the target session is not associated to the current ServletRequestContext )
A workaround is to call invalidate() in a new Thread, so the retrieved ServletRequestContext is null