Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 9.0.0.Beta1
Affects Version/s: 8.1.0.Final, 8.2.0.Final
Component/s: Web (Undertow)
Labels:
None
Environment:

WildFly 8.1.0.Final and WildFly 8.2.0.Final on Windows 7 x64
JDK 8u25
Session storage set to Cookie

Steps to Reproduce:
Hide

Store in an @ApplicationScoped managed bean for example an HttpSession instance

In another request, call invalidate() on that HttpSession instance

Notice the "Set-Cookie" header in the response, discarding the cookie of the current session
Show
Store in an @ApplicationScoped managed bean for example an HttpSession instance In another request, call invalidate() on that HttpSession instance Notice the "Set-Cookie" header in the response, discarding the cookie of the current session

When calling invalidate() on a HttpSession object of another session than the current one, the server sends back a "cookie expired" header Set-Cookie: JSESSIONID=XXXXXXXX; path=/; HttpOnly; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 GMT where XXXXXXXX is the session id of the invalidated session.
This results in the current JSESSIONID cookie being discarded by the browser, and the current session being lost.

I was able to narrow the "problem" in io.undertow.servlet.spec.HttpSessionImpl:193 (in Undertow 1.0.15.Final), where the ServletRequestContext is taken from the ThreadLocal storage, returning the current request context instead of null (as the target session is not associated to the current ServletRequestContext )

A workaround is to call invalidate() in a new Thread, so the retrieved ServletRequestContext is null

Assignee:: Stuart Douglas (Inactive)

Reporter:: Nicolas Grussenmeyer (Inactive)

Votes:: 1 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2014/12/09 8:48 AM

Updated:: 2017/12/06 11:28 AM

Resolved:: 2015/01/27 7:24 AM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates