Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-dev] Custom SessionManager in conjunction with a filter that creates a new session and invalidates the current

Hi,

After further investigation, I found that in previous versions (I looked at 7.1.4), The session handler in the finally clause of SessionHandler#doScope, obtained the current session by calling request.getSession(false).

This produces the desired behavior in my case as the Session#complete() call will be made on the new session.

I saw that this behavior was changed in newers versions (I looked at 8.1.2), now the current session is saved at the start of SessionHandler#doScope and Session#complete is called on it if it exists.

 

Why was this behavior changed?

BTW: I’ve noticed that JDBCSessionManager shares a similar behavior to our custom session manager, so it will suffer from the same issue I described.

 

Thanks again,

Dan Kilman.

 

From: Dan Kilman
Sent: Monday, September 10, 2012 17:58
To: 'jetty-dev@xxxxxxxxxxx'
Subject: Custom SessionManager in conjunction with a filter that creates a new session and invalidates the current

 

Hi,

I’m not sure this is the correct place to post this question, if this isn’t, I apologize in advance.

 

I work in GigaSpaces on the XAP Platform, and we have an integration with jetty, in which we allow users deploying web application running embedded jetty servers.

 

As part of this integration, we have a custom session manager (which extends AbstractSessionManager) to allow clustered session management using our distributed in-memory datagrid.

 

I have run into the following problem with a user that deployed an application which used spring web security.

Spring’s security filter invalidates the current session a creates a new copy of it in order to prevent session fixation attacks.

The problem is that we “flush” the data to the datagrid only when Session#complete() is called, and complete is called on the old session, so when a new http request arrives as part of the new session, its attributes are not in sync with the modifications

That the security filter may have made after creating the new session, because they were never “flushed”.

Is there some way I can make the session handler aware of the new session one of the filters created?

 

Thanks, Dan Kilman.


Back to the top