Abhishek Garg created FELIX-6342:
------------------------------------
Summary: HTTP Session not invalidated over HTTPS
Key: FELIX-6342
URL: https://issues.apache.org/jira/browse/FELIX-6342
Project: Felix
Issue Type: Improvement
Components: HTTP Service
Affects Versions: http.base-4.1.0, http.jetty-4.1.0
Reporter: Abhishek Garg
Jetty is adding additional attribute over Https on session object not by using
setAttribute() method [0] of HttpSessionWrapper class .
When we are trying to invalidate session using [1].Session is not getting
invalidated as in invalidate we are removing only attributes added by this
Session [2] which contains prefix "org.apache.felix.http.session.context" and
attribute added by jetty does not contain this prefix.
When we tried to remove attribute by calling removeAttribute Method [3],it was
not successful, as this method is also adding prefix
"org.apache.felix.http.session.context" to attributeName passed.
we also tried to cast this HttpSessionWrapper session object into
"org.eclipse.jetty.server.session.Session" object, but got
classCastException.So we are not able to remove this Attribute.
shouldn't invalidate method [1] should remove all attributes presents in this
session or there should be a method to remove attribute from underlying
container session object in HttpSessionWrapper class.
[0] :
[https://github.com/apache/felix-dev/blame/b91688862f39bf89c87e019ccf81653bb7ec12a1/http/base/src/main/java/org/apache/felix/http/base/internal/handler/HttpSessionWrapper.java#L397]
[1]
:[https://github.com/apache/felix-dev/blob/master/http/base/src/main/java/org/apache/felix/http/base/internal/handler/HttpSessionWrapper.java#L323]
[2]:[https://github.com/apache/felix-dev/blob/master/http/base/src/main/java/org/apache/felix/http/base/internal/handler/HttpSessionWrapper.java#L335]
[3] :
[https://github.com/apache/felix-dev/blob/master/http/base/src/main/java/org/apache/felix/http/base/internal/handler/HttpSessionWrapper.java#L372]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
