Bug 54999 - JSESSIONIDSSO not re-created upon re-authentication on the same request - logout() and login(username,password)
Summary: JSESSIONIDSSO not re-created upon re-authentication on the same request - log...
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 7
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 7.0.40
Hardware: PC Windows XP
: P2 normal with 1 vote (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-05-21 19:50 UTC by Keith Mashinter
Modified: 2013-05-30 13:54 UTC (History)
0 users



Attachments
Fix for Bug 54999 to ensure JSESSIONIDSSO can be re-created (612 bytes, patch)
2013-05-22 13:18 UTC, Keith Mashinter
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Keith Mashinter 2013-05-21 19:50:48 UTC
In testing I found that the JSESSIONIDSSO was not re-created upon re-authentication via logout() and login(username,password) in the same request.  The problem stemmed from the REQ_SSOID_NOTE that was was not reset upon request.logout(), whereas the documentation indicates that a logout() from any web-app should logout() from all web-apps.  When the REQ_SSOID_NOTE is not removed upon logout(), a subsequent login(username,password) on the same request will re-create a JSESSIONID for the current web-app but fails to re-create a JSESSIONIDSSO since the REQ_SSO_ID_NOTE still lingers on the request.

AuthenticatorBase.java adjustment for logout(request) that removes the REQ_SSOID_NOTE so that a subsequent login(username,password) will work on the same request:

    @Override
    public void logout(Request request) throws ServletException {
        register(request, request.getResponse(), null,
                null, null, null);
    	request.removeNote(Constants.REQ_SSOID_NOTE);
    }

I'll upload a diff-patch against the trunk and for 7.0.40.
Comment 1 Keith Mashinter 2013-05-22 13:18:26 UTC
Created attachment 30313 [details]
Fix for Bug 54999 to ensure JSESSIONIDSSO can be re-created

In the Bug comments I chose to @override the AuthenticatorBase logout(Request)  but the more self-consistent place to patch this seems to be in AuthenticatorBase.register(Request,...) that I've done here against the tc7.0.x/trunk/tc7.0.x/java/org/apache/catalina/authenticator/AuthenticatorBase.java.
Comment 2 Mark Thomas 2013-05-30 13:54:12 UTC
Thanks for the report, analysis and patch. It all looks good to me.

I have applied the patch to trunk and 7.0.x and the fix will be included in 7.0.41 onwards.