[jira] [Updated] (FELIX-6342) HTTP Session not invalidated over HTTPS

Sun, 04 Oct 2020 02:40:25 -0700 


     [ 
https://issues.apache.org/jira/browse/FELIX-6342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Carsten Ziegeler updated FELIX-6342:
------------------------------------
    Fix Version/s: http.jetty-4.1.2

> HTTP Session not invalidated over HTTPS
> ---------------------------------------
>
>                 Key: FELIX-6342
>                 URL: https://issues.apache.org/jira/browse/FELIX-6342
>             Project: Felix
>          Issue Type: Improvement
>          Components: HTTP Service
>    Affects Versions: http.jetty-4.1.0, http.base-4.1.0
>            Reporter: Abhishek Garg
>            Assignee: Carsten Ziegeler
>            Priority: Major
>             Fix For: http.jetty-4.1.2
>
>
> Jetty is adding additional attribute over Https on session object not by 
> using setAttribute() method [0] of HttpSessionWrapper class .
> When we are trying to invalidate session using [1].Session is not getting 
> invalidated as in invalidate we are removing only attributes added by this 
> Session [2] which contains prefix "org.apache.felix.http.session.context" and 
> attribute added by jetty does not contain this prefix.
> When we tried to remove attribute by calling removeAttribute Method [3],it 
> was not successful, as this method is also adding prefix 
> "org.apache.felix.http.session.context" to attributeName passed.
> we also tried to cast this HttpSessionWrapper session object into 
> "org.eclipse.jetty.server.session.Session" object, but got 
> classCastException.So we are not able to remove this Attribute.
> shouldn't invalidate method [1] should remove all attributes presents in this 
> session or there should be a method to remove attribute from underlying 
> container session object in HttpSessionWrapper class.
> [0] : 
> [https://github.com/apache/felix-dev/blame/b91688862f39bf89c87e019ccf81653bb7ec12a1/http/base/src/main/java/org/apache/felix/http/base/internal/handler/HttpSessionWrapper.java#L397]
> [1] 
> :[https://github.com/apache/felix-dev/blob/master/http/base/src/main/java/org/apache/felix/http/base/internal/handler/HttpSessionWrapper.java#L323]
> [2]:[https://github.com/apache/felix-dev/blob/master/http/base/src/main/java/org/apache/felix/http/base/internal/handler/HttpSessionWrapper.java#L335]
> [3] : 
> [https://github.com/apache/felix-dev/blob/master/http/base/src/main/java/org/apache/felix/http/base/internal/handler/HttpSessionWrapper.java#L372]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to