You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@felix.apache.org by "Abhishek Garg (Jira)" <ji...@apache.org> on 2020/10/02 06:54:00 UTC

[jira] [Created] (FELIX-6342) HTTP Session not invalidated over HTTPS

Abhishek Garg created FELIX-6342:
------------------------------------

             Summary: HTTP Session not invalidated over HTTPS
                 Key: FELIX-6342
                 URL: https://issues.apache.org/jira/browse/FELIX-6342
             Project: Felix
          Issue Type: Improvement
          Components: HTTP Service
    Affects Versions: http.base-4.1.0, http.jetty-4.1.0
            Reporter: Abhishek Garg


Jetty is adding additional attribute over Https on session object not by using setAttribute() method [0] of HttpSessionWrapper class .

When we are trying to invalidate session using [1].Session is not getting invalidated as in invalidate we are removing only attributes added by this Session [2] which contains prefix "org.apache.felix.http.session.context" and attribute added by jetty does not contain this prefix.

When we tried to remove attribute by calling removeAttribute Method [3],it was not successful, as this method is also adding prefix "org.apache.felix.http.session.context" to attributeName passed.

we also tried to cast this HttpSessionWrapper session object into "org.eclipse.jetty.server.session.Session" object, but got classCastException.So we are not able to remove this Attribute.

shouldn't invalidate method [1] should remove all attributes presents in this session or there should be a method to remove attribute from underlying container session object in HttpSessionWrapper class.

[0] : [https://github.com/apache/felix-dev/blame/b91688862f39bf89c87e019ccf81653bb7ec12a1/http/base/src/main/java/org/apache/felix/http/base/internal/handler/HttpSessionWrapper.java#L397]
[1] :[https://github.com/apache/felix-dev/blob/master/http/base/src/main/java/org/apache/felix/http/base/internal/handler/HttpSessionWrapper.java#L323]
[2]:[https://github.com/apache/felix-dev/blob/master/http/base/src/main/java/org/apache/felix/http/base/internal/handler/HttpSessionWrapper.java#L335]
[3] : [https://github.com/apache/felix-dev/blob/master/http/base/src/main/java/org/apache/felix/http/base/internal/handler/HttpSessionWrapper.java#L372]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)