Skip to content

Http Session recreated after invalidate #1255

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
lRawd opened this issue Nov 9, 2018 · 8 comments
Closed

Http Session recreated after invalidate #1255

lRawd opened this issue Nov 9, 2018 · 8 comments
Assignees
@vpavic
Labels
status: duplicate A duplicate of another issue

Comments

@lRawd
Copy link

lRawd commented Nov 9, 2018
edited
Loading

Spring Session 2.0.3.RELEASE
After calling invalidate() on an HttpSession in an HTTP request, if later in that same request you have an HttpSession autowired into a bean, a session scoped bean, or call request.getSession(false), the HttpSession is recreated,

After invalidate() is called the Session object is removed from the repository and the current session attribute is removed from the request wrapper.

spring-session/spring-session-core/src/main/java/org/springframework/session/web/http/SessionRepositoryFilter.java

Line 396 in a39295c

setCurrentSession(null);

However the request,getSession(false) call repopulates the current session attribute.

spring-session/spring-session-core/src/main/java/org/springframework/session/web/http/SessionRepositoryFilter.java

Line 307 in a39295c

setCurrentSession(currentSession);

When commitSession() is finally called current session is populated and it puts the session back into the repository.

spring-session/spring-session-core/src/main/java/org/springframework/session/web/http/SessionRepositoryFilter.java

Line 233 in a39295c

saveSession(session);

@lRawd
Copy link
Author

lRawd commented Nov 9, 2018

The code in 2.1.1 is a bit different but it looks like it is still affected by this.

@vpavic vpavic self-assigned this Nov 12, 2018
@vpavic
Copy link
Contributor

vpavic commented Nov 12, 2018

Thanks for the report @lRawd.

It's not clear to me which exact sequence of events is required to reproduce this? Any chance you could put together a minimal sample app that would help us understand the problem better?

@vpavic vpavic added the status: waiting-for-feedback We need additional information before we can continue label Nov 12, 2018
@lRawd
Copy link
Author

lRawd commented Nov 12, 2018

I think its as simple as calling:

request.getSession(true).invalidate();
//...
request.getSession(false).getId();

I will double check and put a sample together.

@vpavic
Copy link
Contributor

vpavic commented Nov 12, 2018

Thanks for following up - I've tried something along those lines but request.getSession(false) returned null for me.

@lRawd
Copy link
Author

lRawd commented Nov 13, 2018

In 2.1.2.RELEASE request.getSession(false) returns null but in 2.0.3.RELEASE I am getting a session object back. Although, I am not seeing the same issues that I reported where the session resumed. I must have made a mistake somewhere in my code that caused the sessions to get recreated. If I find something as I continue development with the latest version then I will reopen this.

@lRawd lRawd closed this as completed Nov 13, 2018
@vpavic
Copy link
Contributor

vpavic commented Nov 13, 2018

Thanks for following up again @lRawd - just to be safe, could you give 2.0.7.RELEASE a spin? This is to ensure the latest release from 2.0.x line is OK. Thanks!

@vpavic vpavic reopened this Nov 13, 2018
@vpavic
Copy link
Contributor

vpavic commented Nov 13, 2018

@lRawd I've managed to reproduce this using 2.0.3.RELEASE - this is actually a duplicate of #1076 that was resolved in 2.0.4.RELEASE. So please upgrade to 2.0.4.RELEASE or preferably latest release from 2.0.x line (2.0.7.RELEASE that is).

@vpavic vpavic closed this as completed Nov 13, 2018
@vpavic
Copy link
Contributor

vpavic commented Nov 13, 2018

Duplicate of #1076

@vpavic vpavic marked this as a duplicate of #1076 Nov 13, 2018
@vpavic vpavic added status: duplicate A duplicate of another issue and removed status: waiting-for-feedback We need additional information before we can continue labels Nov 13, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vpavic vpavic

Labels
status: duplicate A duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vpavic @lRawd