You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@felix.apache.org by "Abhishek Garg (Jira)" <ji...@apache.org> on 2020/10/02 06:54:00 UTC
[jira] [Created] (FELIX-6342) HTTP Session not invalidated over
HTTPS
Abhishek Garg created FELIX-6342:
------------------------------------
Summary: HTTP Session not invalidated over HTTPS
Key: FELIX-6342
URL: https://issues.apache.org/jira/browse/FELIX-6342
Project: Felix
Issue Type: Improvement
Components: HTTP Service
Affects Versions: http.base-4.1.0, http.jetty-4.1.0
Reporter: Abhishek Garg
Jetty is adding additional attribute over Https on session object not by using setAttribute() method [0] of HttpSessionWrapper class .
When we are trying to invalidate session using [1].Session is not getting invalidated as in invalidate we are removing only attributes added by this Session [2] which contains prefix "org.apache.felix.http.session.context" and attribute added by jetty does not contain this prefix.
When we tried to remove attribute by calling removeAttribute Method [3],it was not successful, as this method is also adding prefix "org.apache.felix.http.session.context" to attributeName passed.
we also tried to cast this HttpSessionWrapper session object into "org.eclipse.jetty.server.session.Session" object, but got classCastException.So we are not able to remove this Attribute.
shouldn't invalidate method [1] should remove all attributes presents in this session or there should be a method to remove attribute from underlying container session object in HttpSessionWrapper class.
[0] : [https://github.com/apache/felix-dev/blame/b91688862f39bf89c87e019ccf81653bb7ec12a1/http/base/src/main/java/org/apache/felix/http/base/internal/handler/HttpSessionWrapper.java#L397]
[1] :[https://github.com/apache/felix-dev/blob/master/http/base/src/main/java/org/apache/felix/http/base/internal/handler/HttpSessionWrapper.java#L323]
[2]:[https://github.com/apache/felix-dev/blob/master/http/base/src/main/java/org/apache/felix/http/base/internal/handler/HttpSessionWrapper.java#L335]
[3] : [https://github.com/apache/felix-dev/blob/master/http/base/src/main/java/org/apache/felix/http/base/internal/handler/HttpSessionWrapper.java#L372]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)