Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 7.0.0.DR6
Affects Version/s: 7.0.0.DR4
Component/s: Undertow
Labels:
None

CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.0.0.GA
Steps to Reproduce:
Hide

This is servlet code I used to reproduce it:

package org.jboss.qa.management.web.resources; import java.io.IOException; import java.io.PrintWriter; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; /** * Created by rhatlapa on 10/14/14. */ @WebServlet(name="SessionTimeoutCheck", urlPatterns={"/SessionTimeoutCheck"}) public class SessionTimeoutCheckServlet extends HttpServlet { @Override protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { HttpSession session = request.getSession(); response.setContentType("text/html"); PrintWriter out = response.getWriter(); out.write("Current session ID: " + session.getId()); out.write("<br />\n"); out.write("Requested session ID " + request.getRequestedSessionId()); out.write("<br />\n"); if (request.getRequestedSessionId() != null) { if (request.isRequestedSessionIdValid()) { out.write("Valid session"); } else { out.write("Session expired"); } } else { out.write("No sessionId specified => new session"); } } }

Then set session timetout to minimum value:

/subsystem=undertow/servlet-container=default:write-attribute(name=default-session-timeout,value=1) reload

Try various requests on:

localhost:8080/[warname]/SessionTimeoutCheck

to see that even when session has expired the "Valid session" text appears on the page.
Show
This is servlet code I used to reproduce it: package org.jboss.qa.management.web.resources; import java.io.IOException; import java.io.PrintWriter; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; /** * Created by rhatlapa on 10/14/14. */ @WebServlet(name= "SessionTimeoutCheck" , urlPatterns={ "/SessionTimeoutCheck" }) public class SessionTimeoutCheckServlet extends HttpServlet { @Override protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { HttpSession session = request.getSession(); response.setContentType( "text/html" ); PrintWriter out = response.getWriter(); out.write( "Current session ID: " + session.getId()); out.write( "<br />\n" ); out.write( "Requested session ID " + request.getRequestedSessionId()); out.write( "<br />\n" ); if (request.getRequestedSessionId() != null ) { if (request.isRequestedSessionIdValid()) { out.write( "Valid session" ); } else { out.write( "Session expired" ); } } else { out.write( "No sessionId specified => new session" ); } } } Then set session timetout to minimum value: /subsystem=undertow/servlet-container= default :write-attribute(name= default -session-timeout,value=1) reload Try various requests on: localhost:8080/[warname]/SessionTimeoutCheck to see that even when session has expired the "Valid session" text appears on the page.

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

When calling

request.isRequestedSessionIdValid()

in servlet code then this method returns true even when particular requested session has expired and now is used different session.

Expected behaviour:

return true if current valid session is same as requested by client in preceding request
return false if current valid session is different (new) from the one requested by client in preceding request

Not sure but probably source of the problem might be in implementation of that method here:
https://github.com/undertow-io/undertow/blob/90789748d3b493d7a233a4ef5ba8ae33032c1543/servlet/src/main/java/io/undertow/servlet/spec/HttpServletRequestImpl.java#L377

is cloned by

UNDERTOW-478 request.isRequestedSessionIdValid() returns true even when requested session has expired

Resolved

Assignee:: Stuart Douglas

Reporter:: Jan Stourac

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2015/06/23 4:57 AM

Updated:: 2016/07/13 12:41 PM

Resolved:: 2015/07/31 2:52 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates

Hide