Skip to content

Commit

Permalink
Issue #7801 Duplicate session cookies after session id change.
Browse files Browse the repository at this point in the history
Signed-off-by: Jan Bartel <janb@webtide.com>
  • Loading branch information
janbartel committed Mar 29, 2022
1 parent a104c59 commit b86dd9d
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 16 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -548,6 +548,9 @@ public void release(String id, Session session) throws Exception
//don't do anything with the session until the last request for it has finished
if ((session.getRequests() <= 0))
{
//reset the idchanged flag
session.setIdChanged(false);

//save the session
if (!_sessionDataStore.isPassivating())
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertNotNull;
import static org.junit.jupiter.api.Assertions.assertNotSame;
import static org.junit.jupiter.api.Assertions.assertNull;
import static org.junit.jupiter.api.Assertions.assertTrue;

/**
Expand Down Expand Up @@ -183,8 +184,6 @@ public void doTest(RenewalVerifier verifier) throws Exception
String contextPath = "";
String servletMapping = "/server";
WebAppContext context = _server.addWebAppContext(".", contextPath);
TestHttpChannelCompleteListener scopeListener = new TestHttpChannelCompleteListener();
_server.getServerConnector().addBean(scopeListener);
context.setParentLoaderPriority(true);
context.addServlet(TestServlet.class, servletMapping);
TestHttpSessionIdListener testListener = new TestHttpSessionIdListener();
Expand All @@ -199,33 +198,29 @@ public void doTest(RenewalVerifier verifier) throws Exception
client.start();

//make a request to create a session
CountDownLatch synchronizer = new CountDownLatch(1);
scopeListener.setExitSynchronizer(synchronizer);
ContentResponse response = client.GET("http://localhost:" + port + contextPath + servletMapping + "?action=create");
assertEquals(HttpServletResponse.SC_OK, response.getStatus());

//ensure request has finished being handled
synchronizer.await(5, TimeUnit.SECONDS);

String sessionCookie = response.getHeaders().get("Set-Cookie");
assertTrue(sessionCookie != null);
assertFalse(testListener.isCalled());

//make a request to change the sessionid
synchronizer = new CountDownLatch(1);
scopeListener.setExitSynchronizer(synchronizer);
Request request = client.newRequest("http://localhost:" + port + contextPath + servletMapping + "?action=renew");
ContentResponse renewResponse = request.send();
assertEquals(HttpServletResponse.SC_OK, renewResponse.getStatus());

//ensure request has finished being handled
synchronizer.await(5, TimeUnit.SECONDS);

String renewSessionCookie = renewResponse.getHeaders().get("Set-Cookie");
assertNotNull(renewSessionCookie);
assertNotSame(sessionCookie, renewSessionCookie);
assertTrue(testListener.isCalled());

//make another request and check the cookie isn't set again
request = client.newRequest("http://localhost:" + port + contextPath + servletMapping + "?action=check");
ContentResponse checkResponse = request.send();
assertEquals(HttpServletResponse.SC_OK, checkResponse.getStatus());
assertNull(checkResponse.getHeaders().get("Set-Cookie"));

if (verifier != null)
verifier.verify(context, TestServer.extractSessionId(sessionCookie), TestServer.extractSessionId(renewSessionCookie));
}
Expand Down Expand Up @@ -315,10 +310,10 @@ else if ("renew".equals(action))

assertTrue(sessionIdManager.isIdInUse(afterSessionId)); //new session id should be in use
assertFalse(sessionIdManager.isIdInUse(beforeSessionId));


if (((Session)afterSession).isIdChanged())
((org.eclipse.jetty.server.Response)response).replaceCookie(sessionManager.getSessionCookie(afterSession, request.getContextPath(), request.isSecure()));
}
else
{
request.getSession(false);
}
}
}
Expand Down

0 comments on commit b86dd9d

Please sign in to comment.