Uploaded image for project: 'Ignite'
  1. Ignite
  2. IGNITE-3159

WebSession: Incorrect handling of HttpServletRequest.getRequestedSessionId.

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.5.0.final
    • Fix Version/s: None
    • Component/s: websession
    • Labels:
      None

      Description

      WebSessionFilter use HttpServletRequest.getRequestedSessionId() method to get session ID.

      However, specification says that this method might return ID which is different from ID of currently active session. E.g. when request is performed with ID of already invalidated session. But we never account for this and pass this session ID to our session.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              vozerov Vladimir Ozerov
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: