You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@felix.apache.org by "Carsten Ziegeler (Jira)" <ji...@apache.org> on 2020/10/04 11:30:00 UTC
[jira] [Work started] (FELIX-6342) HTTP Session not invalidated
over HTTPS
[ https://issues.apache.org/jira/browse/FELIX-6342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Work on FELIX-6342 started by Carsten Ziegeler.
-----------------------------------------------
> HTTP Session not invalidated over HTTPS
> ---------------------------------------
>
> Key: FELIX-6342
> URL: https://issues.apache.org/jira/browse/FELIX-6342
> Project: Felix
> Issue Type: Improvement
> Components: HTTP Service
> Affects Versions: http.jetty-4.1.0, http.base-4.1.0
> Reporter: Abhishek Garg
> Assignee: Carsten Ziegeler
> Priority: Major
> Fix For: http.jetty-4.1.2, http.base-4.1.2
>
>
> Jetty is adding additional attribute over Https on session object not by using setAttribute() method [0] of HttpSessionWrapper class .
> When we are trying to invalidate session using [1].Session is not getting invalidated as in invalidate we are removing only attributes added by this Session [2] which contains prefix "org.apache.felix.http.session.context" and attribute added by jetty does not contain this prefix.
> When we tried to remove attribute by calling removeAttribute Method [3],it was not successful, as this method is also adding prefix "org.apache.felix.http.session.context" to attributeName passed.
> we also tried to cast this HttpSessionWrapper session object into "org.eclipse.jetty.server.session.Session" object, but got classCastException.So we are not able to remove this Attribute.
> shouldn't invalidate method [1] should remove all attributes presents in this session or there should be a method to remove attribute from underlying container session object in HttpSessionWrapper class.
> [0] : [https://github.com/apache/felix-dev/blame/b91688862f39bf89c87e019ccf81653bb7ec12a1/http/base/src/main/java/org/apache/felix/http/base/internal/handler/HttpSessionWrapper.java#L397]
> [1] :[https://github.com/apache/felix-dev/blob/master/http/base/src/main/java/org/apache/felix/http/base/internal/handler/HttpSessionWrapper.java#L323]
> [2]:[https://github.com/apache/felix-dev/blob/master/http/base/src/main/java/org/apache/felix/http/base/internal/handler/HttpSessionWrapper.java#L335]
> [3] : [https://github.com/apache/felix-dev/blob/master/http/base/src/main/java/org/apache/felix/http/base/internal/handler/HttpSessionWrapper.java#L372]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)