You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@felix.apache.org by "Steven Huypens (Jira)" <ji...@apache.org> on 2022/02/11 11:00:00 UTC
[jira] [Created] (FELIX-6504) HttpSessionWrapper getId() throws unexpected IllegalStateException
Steven Huypens created FELIX-6504:
-------------------------------------
Summary: HttpSessionWrapper getId() throws unexpected IllegalStateException
Key: FELIX-6504
URL: https://issues.apache.org/jira/browse/FELIX-6504
Project: Felix
Issue Type: Bug
Components: HTTP Service
Reporter: Steven Huypens
When using Spring's SecurityContextLogoutHandler, I ran into an IllegalStateException because of this code
{code:java}
HttpSession session = request.getSession(false);
if (session != null) {
session.invalidate();
if (this.logger.isDebugEnabled()) {
this.logger.debug(LogMessage.format("Invalidated session %s", session.getId()));
}
} {code}
Looking at the HttpSessionWrapper.java this makes sense
{code}
@Override
public String getId()
{
this.checkInvalid();
if ( this.config.isUniqueSessionId() )
{
return this.delegate.getId().concat("-").concat(this.sessionId);
}
return this.delegate.getId();
}
{code}
The Spring code assumes session.getId() can safely be called, even after the session has been invalidated. I'm note sure where to look for the specs, but I think that assumption is correct.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)