[jira] [Created] (WICKET-6530) Race-condition in session invalidation

Mon, 05 Feb 2018 05:02:38 -0800 

Emond Papegaaij created WICKET-6530:
---------------------------------------

             Summary: Race-condition in session invalidation
                 Key: WICKET-6530
                 URL: https://issues.apache.org/jira/browse/WICKET-6530
             Project: Wicket
          Issue Type: Bug
          Components: wicket
    Affects Versions: 8.0.0-M8, 7.9.0
            Reporter: Emond Papegaaij


Session.invalidate sets a boolean on the session that invalidation is required 
on detach. However, this boolean can be read by several requests, triggering 
multiple invalidations. A HTTP session can only be invalidated once, every 
subsequent call will trigger an IllegalStateException:
{code:java}
Caused by: java.lang.IllegalStateException: UT000021: Session already 
invalidated
        at 
io.undertow.server.session.InMemorySessionManager$SessionImpl.invalidate(InMemorySessionManager.java:543)
        at 
io.undertow.server.session.InMemorySessionManager$SessionImpl.invalidate(InMemorySessionManager.java:529)
        at 
io.undertow.servlet.spec.HttpSessionImpl.invalidate(HttpSessionImpl.java:198)
        at 
org.apache.wicket.session.HttpSessionStore.invalidate(HttpSessionStore.java:188)
        at org.apache.wicket.Session.destroy(Session.java:493)
        at org.apache.wicket.Session.invalidateNow(Session.java:508)
        at 
org.wicketstuff.security.WaspSession.invalidateNow(WaspSession.java:117)
        at org.apache.wicket.Session.detach(Session.java:655)
        at org.wicketstuff.security.WaspSession.detach(WaspSession.java:129)
        at 
org.apache.wicket.request.cycle.RequestCycle.onDetach(RequestCycle.java:654)
        at 
org.apache.wicket.request.cycle.RequestCycle.detach(RequestCycle.java:594)
        at 
org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:297)
        at 
org.apache.wicket.protocol.http.WicketFilter.processRequestCycle(WicketFilter.java:261)
        at 
org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:203)
        at 
org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:284)
        at 
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
        at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
        at 
org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
        at 
org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
        at 
org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
        ... 55 more{code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to