Jetty 12.0.0 return wrong value for HttpServletRequest.isRequestedSessionIdValid #10323
Assignees
Labels
Bug
For general bugs on Jetty side
Comments
ghost
added
the
janbartel
added a commit
that referenced
this issue
Aug 18, 2023
|
Thanks for the report. Fixed via #10331 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Jetty version(s)
12.0.0
Jetty Environment
ee10 (embedded Jetty)
Java version/vendor
(use: java -version)OpenJDK 20
OS type/version
Fedora 38, Ubuntu 23.04
Description
When a request with a session ID in a URL parameter that refers to a session that is does not exist
request.isRequestedSessionIdFromURL()
returns true (correct), but
request.isRequestedSessionIdValid()
also returns true (incorrect).
How to reproduce?
I reproduce this by
1 - start my Jetty embedding application
2 - enter the URL into the browser
3 - login creating a user session and being redirected to a URL with a session ID parameter
4 - stop/start the application after which the session no longer exists
5 - refresh the page with the URL holding the ID of the no longer existing session
6 - expect the page to redirect to a URL without a session ID parameter
7 - see that this does not happen
The application checks both methods and in case of
request.isRequestedSessionIdFromURL() && !request.isRequestedSessionIdValid()
a redirect response is generated to the same URL without the session ID parameter. This does not work in Jetty 12.
The text was updated successfully, but these errors were encountered: