You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@geode.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2016/12/12 22:36:59 UTC

[jira] [Commented] (GEODE-2136) session state module for generic application servers duplicates request cookies

    [ https://issues.apache.org/jira/browse/GEODE-2136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15743372#comment-15743372 ] 

ASF subversion and git services commented on GEODE-2136:
--------------------------------------------------------

Commit 03715a63eee5f20453f0dc0ec01311b11d7548af in geode's branch refs/heads/feature/GEODE-1930 from [~upthewaterspout]
[ https://git-wip-us.apache.org/repos/asf?p=geode.git;h=03715a6 ]

GEODE-2136: Don't duplicate cookies in the http response

We had some code that copied cookies from the request to the response.
That caused us to include a potentially stale cookie value in the
response.

Adding a unit test that we don't screw up the users cookies. I had to
bring in a dependency on httpunit, because the HttpTester with jetty is
not correctly parsing multiple Set-Cookie headers.


> session state module for generic application servers duplicates request cookies
> -------------------------------------------------------------------------------
>
>                 Key: GEODE-2136
>                 URL: https://issues.apache.org/jira/browse/GEODE-2136
>             Project: Geode
>          Issue Type: Bug
>          Components: http session
>            Reporter: Dan Smith
>            Assignee: Dan Smith
>             Fix For: 1.1.0
>
>
> The session state module for generic application servers duplicates from the request to the response. This can lead to issues with user applications if the application tries to modify a cookie.
> Below is the offending code
> {code}
>     private void addSessionCookie(HttpServletResponse response) {
>       // Don't bother if the response is already committed
>       if (response.isCommitted()) {
>         return;
>       }
>       // Get the existing cookies
>       Cookie[] cookies = getCookies();
>       Cookie cookie = new Cookie(manager.getSessionCookieName(), session.getId());
>       cookie.setPath("".equals(getContextPath()) ? "/" : getContextPath());
>       // Clear out all old cookies and just set ours
>       response.addCookie(cookie);
>       // Replace all other cookies which aren't JSESSIONIDs
>       if (cookies != null) {
>         for (Cookie c : cookies) {
>           if (manager.getSessionCookieName().equals(c.getName())) {
>             continue;
>           }
>           response.addCookie(c);
>         }
>       }
>     }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)