Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Equinox » [Http Service] Invalid session id change event
[Http Service] Invalid session id change event [message #1840979] Thu, 29 April 2021 18:47
Arnaud MERGEY is currently offline Arnaud MERGEYFriend
Messages: 243
Registered: March 2010
Location: France
Senior Member
I noticed a weird behavior with our application.
We use spring security to manage authentication.

Spring security renew session id after a successful authentication.

We have a javax.servlet.http.HttpSessionIdListener to listen for session id change (and do some stuff when it happens as we cache things based on session id)

When one user authenticate on the server the listener is called for all sessions and wrongly fire session change even for other sessions than the one where the authentication is performed

By debugging the code I saw this code in equinox which seems to confirm this:

org.eclipse.equinox.http.servlet.internal.context.ContextController.fireSessionIdChanged(String)

for (HttpSessionAdaptor httpSessionAdaptor : activeSessions.values()) {
			HttpSessionEvent httpSessionEvent = new HttpSessionEvent(httpSessionAdaptor);
			for (javax.servlet.http.HttpSessionIdListener listener : listeners) {
				listener.sessionIdChanged(httpSessionEvent, oldSessionId);
			}
		}


So it seems when one session changes its id, a session change event is fired for all sessions which is wrong as these session keep the id they had and did not have oldSessionId as old session id.

When spring security renew its session id (calling it on the servlet request)
it goes through jetty org.eclipse.jetty.server.session.SessionHandler.callSessionIdListeners(Session, String) which itself is calling
org.eclipse.equinox.http.jetty.internal.HttpServerManager.InternalHttpServiceServlet.sessionIdChanged(HttpSessionEvent, String) and then it reach ContextController code above

Is this behavior on purpose ? and if yes why ?

Best,
Arnaud

[Updated on: Thu, 29 April 2021 18:49]

Report message to a moderator

Previous Topic:org.eclipse.equinox.http.servlet fails to get the right paths
Next Topic:HttpWhiteboardFailureException logged as debug in equinox
Goto Forum:
  


Current Time: Tue Oct 26 07:00:18 GMT 2021

Powered by FUDForum. Page generated in 0.01794 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top