[ https://issues.apache.org/jira/browse/FELIX-6504?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Carsten Ziegeler closed FELIX-6504. ----------------------------------- > HttpSessionWrapper getId() throws unexpected IllegalStateException > ------------------------------------------------------------------ > > Key: FELIX-6504 > URL: https://issues.apache.org/jira/browse/FELIX-6504 > Project: Felix > Issue Type: Bug > Components: HTTP Service > Affects Versions: http.jetty-4.1.14, http.bridge-4.1.6, http.base-4.1.6 > Reporter: Steven Huypens > Assignee: Carsten Ziegeler > Priority: Minor > Fix For: http.jetty-4.2.0, http.base-4.2.0, http.bridge-4.2.0 > > > When using Spring's SecurityContextLogoutHandler, I ran into an > IllegalStateException because of this code > > {code:java} > HttpSession session = request.getSession(false); > if (session != null) { > session.invalidate(); > if (this.logger.isDebugEnabled()) { > this.logger.debug(LogMessage.format("Invalidated session %s", > session.getId())); > } > } {code} > Looking at the HttpSessionWrapper.java this makes sense > {code} > @Override > public String getId() > { > this.checkInvalid(); > if ( this.config.isUniqueSessionId() ) > { > return this.delegate.getId().concat("-").concat(this.sessionId); > } > return this.delegate.getId(); > } > {code} > The Spring code assumes session.getId() can safely be called, even after the > session has been invalidated. I'm not sure where to look for the specs, but I > think that assumption is correct. -- This message was sent by Atlassian Jira (v8.20.1#820001)