[Http Service] Invalid session id change event [message #1840979] |
Thu, 29 April 2021 18:47 |
Arnaud MERGEY Messages: 243 Registered: March 2010 Location: France |
Senior Member |
|
|
I noticed a weird behavior with our application.
We use spring security to manage authentication.
Spring security renew session id after a successful authentication.
We have a javax.servlet.http.HttpSessionIdListener to listen for session id change (and do some stuff when it happens as we cache things based on session id)
When one user authenticate on the server the listener is called for all sessions and wrongly fire session change even for other sessions than the one where the authentication is performed
By debugging the code I saw this code in equinox which seems to confirm this:
org.eclipse.equinox.http.servlet.internal.context.ContextController.fireSessionIdChanged(String)
for (HttpSessionAdaptor httpSessionAdaptor : activeSessions.values()) {
HttpSessionEvent httpSessionEvent = new HttpSessionEvent(httpSessionAdaptor);
for (javax.servlet.http.HttpSessionIdListener listener : listeners) {
listener.sessionIdChanged(httpSessionEvent, oldSessionId);
}
}
So it seems when one session changes its id, a session change event is fired for all sessions which is wrong as these session keep the id they had and did not have oldSessionId as old session id.
When spring security renew its session id (calling it on the servlet request)
it goes through jetty org.eclipse.jetty.server.session.SessionHandler.callSessionIdListeners(Session, String) which itself is calling
org.eclipse.equinox.http.jetty.internal.HttpServerManager.InternalHttpServiceServlet.sessionIdChanged(HttpSessionEvent, String) and then it reach ContextController code above
Is this behavior on purpose ? and if yes why ?
Best,
Arnaud
[Updated on: Thu, 29 April 2021 18:49] Report message to a moderator
|
|
|
Powered by
FUDForum. Page generated in 0.03331 seconds