CookieHttpSessionStrategy only writes same Session once
If SessionRepositoryRequestWrapper.commitSession() is invoked twice when a new session is created, then CookieHttpSessionStrategy will add the same cookie twice. A couple examples of how this could happen: * The response is committed and SessionRepositoryResponseWrapper.onResponseCommitted() invokes SessionRepositoryRequestWrapper.commitSession(). Then the finally block in SessionRepositoryFilter invokes SessionRepositoryRequestWrapper.commitSession() again. * The new session is initialized and an Exception is thrown (i.e. gh-229). The SessionRepositoryFilter invokes SessionRepositoryRequestWrapper.commitSession() in the REQUEST dispatch. Then in the ERROR dispatch SessionRepositoryFilter invokes SessionRepositoryRequestWrapper.commitSession() invokes it again. This commit ensures if the same Session is passed into CookieHttpSessionStrategy multiple times within the same HttpServletRequest it is only written once by keeping track of the sessions on a request attribute. Fixes gh-251
This commit is contained in:
@@ -68,6 +68,28 @@ public class CookieHttpSessionStrategyTests {
|
||||
assertThat(getSessionId()).isEqualTo(session.getId());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void onNewSessionTwiceSameId() throws Exception {
|
||||
strategy.onNewSession(session, request, response);
|
||||
strategy.onNewSession(session, request, response);
|
||||
|
||||
assertThat(response.getCookies()).hasSize(1);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void onNewSessionTwiceNewId() throws Exception {
|
||||
Session newSession = new MapSession();
|
||||
|
||||
strategy.onNewSession(session, request, response);
|
||||
strategy.onNewSession(newSession, request, response);
|
||||
|
||||
Cookie[] cookies = response.getCookies();
|
||||
assertThat(cookies).hasSize(2);
|
||||
|
||||
assertThat(cookies[0].getValue()).isEqualTo(session.getId());
|
||||
assertThat(cookies[1].getValue()).isEqualTo(newSession.getId());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void onNewSessionExistingSessionSameAlias() throws Exception {
|
||||
Session existing = new MapSession();
|
||||
|
||||
Reference in New Issue
Block a user