[ https://issues.apache.org/jira/browse/WICKET-6530?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16352470#comment-16352470 ]
ASF GitHub Bot commented on WICKET-6530: ---------------------------------------- Github user asfgit closed the pull request at: https://github.com/apache/wicket/pull/266 > Race-condition in session invalidation > -------------------------------------- > > Key: WICKET-6530 > URL: https://issues.apache.org/jira/browse/WICKET-6530 > Project: Wicket > Issue Type: Bug > Components: wicket > Affects Versions: 7.9.0, 8.0.0-M8 > Reporter: Emond Papegaaij > Priority: Major > > Session.invalidate sets a boolean on the session that invalidation is > required on detach. However, this boolean can be read by several requests, > triggering multiple invalidations. A HTTP session can only be invalidated > once, every subsequent call will trigger an IllegalStateException: > {code:java} > Caused by: java.lang.IllegalStateException: UT000021: Session already > invalidated > at > io.undertow.server.session.InMemorySessionManager$SessionImpl.invalidate(InMemorySessionManager.java:543) > at > io.undertow.server.session.InMemorySessionManager$SessionImpl.invalidate(InMemorySessionManager.java:529) > at > io.undertow.servlet.spec.HttpSessionImpl.invalidate(HttpSessionImpl.java:198) > at > org.apache.wicket.session.HttpSessionStore.invalidate(HttpSessionStore.java:188) > at org.apache.wicket.Session.destroy(Session.java:493) > at org.apache.wicket.Session.invalidateNow(Session.java:508) > at > org.wicketstuff.security.WaspSession.invalidateNow(WaspSession.java:117) > at org.apache.wicket.Session.detach(Session.java:655) > at org.wicketstuff.security.WaspSession.detach(WaspSession.java:129) > at > org.apache.wicket.request.cycle.RequestCycle.onDetach(RequestCycle.java:654) > at > org.apache.wicket.request.cycle.RequestCycle.detach(RequestCycle.java:594) > at > org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:297) > at > org.apache.wicket.protocol.http.WicketFilter.processRequestCycle(WicketFilter.java:261) > at > org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:203) > at > org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:284) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61) > at > org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108) > at > org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137) > ... 55 more > {code} > I propose to set the boolean in request metadata. I'll submit a PR later > today to demonstrate this solution. -- This message was sent by Atlassian JIRA (v7.6.3#76005)