Ability to ignore session restoration exceptions #2124
Labels
Comments
thomasschuerger
added
status: waiting-for-triage
|
Duplicate of #529 |
marcusdacoregio
added
status: duplicate
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Expected Behavior
There should be a new boolean configuration property that enables turning sessions which exist but cannot be successfully restored from a SessionRepository automatically into a new session. The default value for this property should reflect the current behavior.
Current Behavior
If a session cookie contains a valid session ID and the session exists but cannot be restored (e.g. via Redis or JDBC), an exception is thrown, which (by default) makes the request fail with an internal server error. Unfortunately this problem persists if the request is retried, which can be very annoying for the users that own such a session. Such a case can easily happen if a session was serialized with an old version of the software and is tried to be restored by a new version and deserialization fails, for example because the serialVersionUID of a serialized class has changed.
Context
Class serialVersionUIDs can change over time and they may not always be under your own control. For example, recently Spring Security's DefaultSavedRequest's serialVersionUID was changed, which broke all serialized sessions that contained a DefaultSavedRequest as an attribute.
This feature should be in spring-session-core so that it is independent of the session repository used. It could easily be added to SessionRepositoryRequestWrapper.getSession(boolean), where getRequestedSession() is called, or inside getRequestedSession(). If an exception is thrown, the session should be treated as non-existent instead so that a new session is generated.
The text was updated successfully, but these errors were encountered: