Uploaded image for project: 'Wicket'
  1. Wicket
  2. WICKET-6530

Race-condition in session invalidation

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 7.9.0, 8.0.0-M8
    • Fix Version/s: 7.10.0, 6.29.0, 8.0.0-M9
    • Component/s: wicket
    • Labels:
      None

      Description

      Session.invalidate sets a boolean on the session that invalidation is required on detach. However, this boolean can be read by several requests, triggering multiple invalidations. A HTTP session can only be invalidated once, every subsequent call will trigger an IllegalStateException:

      Caused by: java.lang.IllegalStateException: UT000021: Session already invalidated
      	at io.undertow.server.session.InMemorySessionManager$SessionImpl.invalidate(InMemorySessionManager.java:543)
      	at io.undertow.server.session.InMemorySessionManager$SessionImpl.invalidate(InMemorySessionManager.java:529)
      	at io.undertow.servlet.spec.HttpSessionImpl.invalidate(HttpSessionImpl.java:198)
      	at org.apache.wicket.session.HttpSessionStore.invalidate(HttpSessionStore.java:188)
      	at org.apache.wicket.Session.destroy(Session.java:493)
      	at org.apache.wicket.Session.invalidateNow(Session.java:508)
      	at org.wicketstuff.security.WaspSession.invalidateNow(WaspSession.java:117)
      	at org.apache.wicket.Session.detach(Session.java:655)
      	at org.wicketstuff.security.WaspSession.detach(WaspSession.java:129)
      	at org.apache.wicket.request.cycle.RequestCycle.onDetach(RequestCycle.java:654)
      	at org.apache.wicket.request.cycle.RequestCycle.detach(RequestCycle.java:594)
      	at org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:297)
      	at org.apache.wicket.protocol.http.WicketFilter.processRequestCycle(WicketFilter.java:261)
      	at org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:203)
      	at org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:284)
      	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
      	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
      	at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
      	at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
      	at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
      	... 55 more
      

      I propose to set the boolean in request metadata. I'll submit a PR later today to demonstrate this solution.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                papegaaij Emond Papegaaij
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: