Steven Huypens created FELIX-6504:
-------------------------------------
Summary: HttpSessionWrapper getId() throws unexpected
IllegalStateException
Key: FELIX-6504
URL: https://issues.apache.org/jira/browse/FELIX-6504
Project: Felix
Issue Type: Bug
Components: HTTP Service
Reporter: Steven Huypens
When using Spring's SecurityContextLogoutHandler, I ran into an
IllegalStateException because of this code
{code:java}
HttpSession session = request.getSession(false);
if (session != null) {
session.invalidate();
if (this.logger.isDebugEnabled()) {
this.logger.debug(LogMessage.format("Invalidated session %s",
session.getId()));
}
} {code}
Looking at the HttpSessionWrapper.java this makes sense
{code}
@Override
public String getId()
{
this.checkInvalid();
if ( this.config.isUniqueSessionId() )
{
return this.delegate.getId().concat("-").concat(this.sessionId);
}
return this.delegate.getId();
}
{code}
The Spring code assumes session.getId() can safely be called, even after the
session has been invalidated. I'm note sure where to look for the specs, but I
think that assumption is correct.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
