[ https://issues.apache.org/jira/browse/GEODE-2136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15743372#comment-15743372 ]
ASF subversion and git services commented on GEODE-2136: -------------------------------------------------------- Commit 03715a63eee5f20453f0dc0ec01311b11d7548af in geode's branch refs/heads/feature/GEODE-1930 from [~upthewaterspout] [ https://git-wip-us.apache.org/repos/asf?p=geode.git;h=03715a6 ] GEODE-2136: Don't duplicate cookies in the http response We had some code that copied cookies from the request to the response. That caused us to include a potentially stale cookie value in the response. Adding a unit test that we don't screw up the users cookies. I had to bring in a dependency on httpunit, because the HttpTester with jetty is not correctly parsing multiple Set-Cookie headers. > session state module for generic application servers duplicates request > cookies > ------------------------------------------------------------------------------- > > Key: GEODE-2136 > URL: https://issues.apache.org/jira/browse/GEODE-2136 > Project: Geode > Issue Type: Bug > Components: http session > Reporter: Dan Smith > Assignee: Dan Smith > Fix For: 1.1.0 > > > The session state module for generic application servers duplicates from the > request to the response. This can lead to issues with user applications if > the application tries to modify a cookie. > Below is the offending code > {code} > private void addSessionCookie(HttpServletResponse response) { > // Don't bother if the response is already committed > if (response.isCommitted()) { > return; > } > // Get the existing cookies > Cookie[] cookies = getCookies(); > Cookie cookie = new Cookie(manager.getSessionCookieName(), > session.getId()); > cookie.setPath("".equals(getContextPath()) ? "/" : getContextPath()); > // Clear out all old cookies and just set ours > response.addCookie(cookie); > // Replace all other cookies which aren't JSESSIONIDs > if (cookies != null) { > for (Cookie c : cookies) { > if (manager.getSessionCookieName().equals(c.getName())) { > continue; > } > response.addCookie(c); > } > } > } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)