Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-6278

Requesting a session with an unexpected character causes request to fail

    XMLWordPrintable

Details

    Description

      The root cause of the problem is that the distributed web session code optimizes the marshalling of the session identifier, by using a URL safe Base64 codec. Because this marshalling happens transparently, when Cache.get(...) goes remote (since the session ID containing an invalid character will never be found locally), the resulting IllegalArgumentException goes undetected - and propagates back to the client.

      To prevent this, we need to validate that the requested session ID can be serialized - and if not, respond as if the session was not found.

      Attachments

        Issue Links

          is cloned by

          Bug - A problem which impairs or prevents the functions of the product. JBEAP-3573 Requesting a session with an unexpected character causes request to fail

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Activity

            Public project attachment banner

              context keys: [headless, issue, helper, isAsynchronousRequest, project, action, user]
              current Project key: WFLY

              People

                pferraro@redhat.com Paul Ferraro
                pferraro@redhat.com Paul Ferraro
                Votes:
                1 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: