HttpServletRequest.changeSessionId() impacts previous references

Previously, if a user had a reference to an existing HttpSession and
changed the session id, it would not work. For example:

HttpSession s = request.getSession();
request.changeSessionId();
s.setAttribute(...);

This commit fixes holding on to a reference of an HttpSession when
the session id is changed.

Fixes gh-227
This commit is contained in:
Rob Winch
2015-07-27 15:25:58 -05:00
parent 4c24384243
commit b79913240d
2 changed files with 12 additions and 3 deletions

View File

@@ -472,7 +472,13 @@ public class SessionRepositoryFilterTests {
doFilter(new DoInFilter() {
@Override
public void doFilter(HttpServletRequest wrappedRequest) {
ReflectionTestUtils.invokeMethod(wrappedRequest, "changeSessionId");
HttpSession originalSession = wrappedRequest.getSession();
assertThat(originalSession.getId()).isEqualTo(originalSessionId);
String changeSessionId = ReflectionTestUtils.invokeMethod(wrappedRequest, "changeSessionId");
assertThat(changeSessionId).isNotEqualTo(originalSessionId);
// gh-227
assertThat(originalSession.getId()).isEqualTo(changeSessionId);
}
});