You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@felix.apache.org by "Steven Huypens (Jira)" <ji...@apache.org> on 2022/02/11 11:00:00 UTC

[jira] [Created] (FELIX-6504) HttpSessionWrapper getId() throws unexpected IllegalStateException

Steven Huypens created FELIX-6504:
-------------------------------------

             Summary: HttpSessionWrapper getId() throws unexpected IllegalStateException
                 Key: FELIX-6504
                 URL: https://issues.apache.org/jira/browse/FELIX-6504
             Project: Felix
          Issue Type: Bug
          Components: HTTP Service
            Reporter: Steven Huypens


When using Spring's SecurityContextLogoutHandler, I ran into an IllegalStateException because of this code
 
{code:java}
HttpSession session = request.getSession(false);
if (session != null) {
   session.invalidate();
   if (this.logger.isDebugEnabled()) {
      this.logger.debug(LogMessage.format("Invalidated session %s", session.getId()));
   }
} {code}

Looking at the HttpSessionWrapper.java this makes sense

{code}
@Override
    public String getId()
    {
        this.checkInvalid();
        if ( this.config.isUniqueSessionId() )
        {
            return this.delegate.getId().concat("-").concat(this.sessionId);
        }
        return this.delegate.getId();
    }
{code}

The Spring code assumes session.getId() can safely be called, even after the session has been invalidated. I'm note sure where to look for the specs, but I think that assumption is correct.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)