1.Servlet 'a' includes servlet 'b' from a different context. 2.Servlets 'b' and 'c' belong to the same context. 3.Servlet 'b' includes servlet 'c'. 4.Servlet 'c' creates a session via request.getSession(). 5.Servlet 'c' invalidates the session and returns to servlet 'b'. 6.Servlet 'b' performs request.getSession(false). I expect that Servlet 'b' gets 'null' returned by getSession(false), but instead a session object is returned. Note: If only one web-application is involved (only servlets b and c in same context), then getSession works as expected. If two web-applications are involved like described in the scenario, then getSession fails to return null.
Please do not reopen this report. If you disagree with my resolution, please bring this forward to the servlet specification, and persuade them to make the necessary specification changes. BTW, I disagree with what you point out. What you want is actually a shared session across all contexts. Again, this is a blatant misconception on the part of the portlet specification and its design, since all the servlet specification ever said was that a separate session object would be returned for each context, with no further precisions.
I believe this bug has been valid: If the session in the foreign context has been invalidated, it must not be returned. A comment in the code actually stated that the current session be returned "if it exists and is valid", but the isValid() check on the session was missing, and is being added by this commit. Also, a session is now created in the foreign context only if 'create' is TRUE.