You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geode.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2016/12/12 22:36:59 UTC
[jira] [Commented] (GEODE-2136) session state module for generic
application servers duplicates request cookies
[ https://issues.apache.org/jira/browse/GEODE-2136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15743372#comment-15743372 ]
ASF subversion and git services commented on GEODE-2136:
--------------------------------------------------------
Commit 03715a63eee5f20453f0dc0ec01311b11d7548af in geode's branch refs/heads/feature/GEODE-1930 from [~upthewaterspout]
[ https://git-wip-us.apache.org/repos/asf?p=geode.git;h=03715a6 ]
GEODE-2136: Don't duplicate cookies in the http response
We had some code that copied cookies from the request to the response.
That caused us to include a potentially stale cookie value in the
response.
Adding a unit test that we don't screw up the users cookies. I had to
bring in a dependency on httpunit, because the HttpTester with jetty is
not correctly parsing multiple Set-Cookie headers.
> session state module for generic application servers duplicates request cookies
> -------------------------------------------------------------------------------
>
> Key: GEODE-2136
> URL: https://issues.apache.org/jira/browse/GEODE-2136
> Project: Geode
> Issue Type: Bug
> Components: http session
> Reporter: Dan Smith
> Assignee: Dan Smith
> Fix For: 1.1.0
>
>
> The session state module for generic application servers duplicates from the request to the response. This can lead to issues with user applications if the application tries to modify a cookie.
> Below is the offending code
> {code}
> private void addSessionCookie(HttpServletResponse response) {
> // Don't bother if the response is already committed
> if (response.isCommitted()) {
> return;
> }
> // Get the existing cookies
> Cookie[] cookies = getCookies();
> Cookie cookie = new Cookie(manager.getSessionCookieName(), session.getId());
> cookie.setPath("".equals(getContextPath()) ? "/" : getContextPath());
> // Clear out all old cookies and just set ours
> response.addCookie(cookie);
> // Replace all other cookies which aren't JSESSIONIDs
> if (cookies != null) {
> for (Cookie c : cookies) {
> if (manager.getSessionCookieName().equals(c.getName())) {
> continue;
> }
> response.addCookie(c);
> }
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)