Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jetty 9.4.x 7801 duplicate set session cookies #7809

Merged
merged 2 commits into from
Jun 8, 2022
Merged

Jetty 9.4.x 7801 duplicate set session cookies #7809

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b86dd9d
Issue #7801 Duplicate session cookies after session id change.
janbartel Mar 29, 2022
8122ae6
Issue #7801 Fix incorrect ConstraintTest for session with form redirect
janbartel Mar 30, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion jetty-security/src/test/java/org/eclipse/jetty/security/ConstraintTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1013,7 +1013,6 @@ public void testFormRedirect() throws Exception
"Cookie: JSESSIONID=" + session + "\r\n" +
"\r\n");
assertThat(response, startsWith("HTTP/1.1 200 OK"));
assertThat(response, containsString("JSESSIONID=" + session));

response = _connector.getResponse("GET /ctx/admin/info HTTP/1.0\r\n" +
"Cookie: JSESSIONID=" + session + "\r\n" +
Expand Down
3 changes: 3 additions & 0 deletions jetty-server/src/main/java/org/eclipse/jetty/server/session/AbstractSessionCache.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -548,6 +548,9 @@ public void release(String id, Session session) throws Exception
//don't do anything with the session until the last request for it has finished
if ((session.getRequests() <= 0))
{
//reset the idchanged flag
session.setIdChanged(false);

//save the session
if (!_sessionDataStore.isPassivating())
{
Expand Down
27 changes: 11 additions & 16 deletions ...test-sessions-common/src/test/java/org/eclipse/jetty/server/session/SessionRenewTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertNotNull;
import static org.junit.jupiter.api.Assertions.assertNotSame;
import static org.junit.jupiter.api.Assertions.assertNull;
import static org.junit.jupiter.api.Assertions.assertTrue;

/**
Expand Down Expand Up @@ -183,8 +184,6 @@ public void doTest(RenewalVerifier verifier) throws Exception
String contextPath = "";
String servletMapping = "/server";
WebAppContext context = _server.addWebAppContext(".", contextPath);
TestHttpChannelCompleteListener scopeListener = new TestHttpChannelCompleteListener();
_server.getServerConnector().addBean(scopeListener);
context.setParentLoaderPriority(true);
context.addServlet(TestServlet.class, servletMapping);
TestHttpSessionIdListener testListener = new TestHttpSessionIdListener();
Expand All @@ -199,33 +198,29 @@ public void doTest(RenewalVerifier verifier) throws Exception
client.start();

//make a request to create a session
CountDownLatch synchronizer = new CountDownLatch(1);
scopeListener.setExitSynchronizer(synchronizer);
ContentResponse response = client.GET("http://localhost:" + port + contextPath + servletMapping + "?action=create");
assertEquals(HttpServletResponse.SC_OK, response.getStatus());

//ensure request has finished being handled
synchronizer.await(5, TimeUnit.SECONDS);

String sessionCookie = response.getHeaders().get("Set-Cookie");
assertTrue(sessionCookie != null);
assertFalse(testListener.isCalled());

//make a request to change the sessionid
synchronizer = new CountDownLatch(1);
scopeListener.setExitSynchronizer(synchronizer);
Request request = client.newRequest("http://localhost:" + port + contextPath + servletMapping + "?action=renew");
ContentResponse renewResponse = request.send();
assertEquals(HttpServletResponse.SC_OK, renewResponse.getStatus());

//ensure request has finished being handled
synchronizer.await(5, TimeUnit.SECONDS);

String renewSessionCookie = renewResponse.getHeaders().get("Set-Cookie");
assertNotNull(renewSessionCookie);
assertNotSame(sessionCookie, renewSessionCookie);
assertTrue(testListener.isCalled());

//make another request and check the cookie isn't set again
request = client.newRequest("http://localhost:" + port + contextPath + servletMapping + "?action=check");
ContentResponse checkResponse = request.send();
assertEquals(HttpServletResponse.SC_OK, checkResponse.getStatus());
assertNull(checkResponse.getHeaders().get("Set-Cookie"));

if (verifier != null)
verifier.verify(context, TestServer.extractSessionId(sessionCookie), TestServer.extractSessionId(renewSessionCookie));
}
Expand Down Expand Up @@ -315,10 +310,10 @@ else if ("renew".equals(action))

assertTrue(sessionIdManager.isIdInUse(afterSessionId)); //new session id should be in use
assertFalse(sessionIdManager.isIdInUse(beforeSessionId));


if (((Session)afterSession).isIdChanged())
((org.eclipse.jetty.server.Response)response).replaceCookie(sessionManager.getSessionCookie(afterSession, request.getContextPath(), request.isSecure()));
}
else
{
request.getSession(false);
}
}
}
Expand Down