New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ERROR dispatch can cause two sessions to be created #229
Comments
@tsachev Thanks for the report. I have modified the httpsession sample in a branch (rwinch/spring-session/tree/gh-229) to try to reproduce the issue and am unable to do so. The steps I attempted:
When looking at my cookies, I only see a single SESSION cookie. When looking in Redis I only see a single session. Both the attribute set before the forward and after the forward are displayed. I'm wondering if the issue is related to the fact that your response is an ERROR? You may need to ensure the SessionRepositoryFilter is mapped to ERROR dispatch types as well. Can you try and provide more details on how to reproduce this issue? Perhaps a sample? Thanks! |
@tsachev PS Perhaps you could also let me know which version of Spring Session you are using. If you are not using 1.0.1.RELEASE perhaps you can try updating and seeing if that fixes your issue. |
I will try to make up a simple project that reproduces the problem. But generally I think the flow goes like this.
|
@tsachev Thanks for the reply. This was enough information for me to reproduce the problem. I will get a fix for this issue in 1.0.2. |
Previously, if the following happened: * New Session Created * Exception thrown * Exception processed by error handler within Servlet * Error Handler used a session The result would be two sessions were created. This means the data from the first session was also lost. This happend because ERROR dispatch is a separate Filter invocation where the request is no longer wrapped. This commit ensures that currentSession is saved on a HttpServletRequest attribute so that the ERROR dispatch sees that a session was already created. Fixes: gh-229
Thanks for the report! I have fixed this in master and it will be available in the 1.0.2 release. While I did test this myself, I'd appreciate you trying out the latest SNAPSHOT and ensuring that it resolved your issue. You can obtain the spring-session-1.0.2.BUILD-SNAPSHOT.jar from our maven repository: <repository>
<id>spring-snapshot</id>
<url>https://repo.spring.io/libs-snapshot</url>
</repository> PS: Based on your report I found another bug which we will also be fixing. See #251 Thanks again! |
If SessionRepositoryRequestWrapper.commitSession() is invoked twice when a new session is created, then CookieHttpSessionStrategy will add the same cookie twice. A couple examples of how this could happen: * The response is committed and SessionRepositoryResponseWrapper.onResponseCommitted() invokes SessionRepositoryRequestWrapper.commitSession(). Then the finally block in SessionRepositoryFilter invokes SessionRepositoryRequestWrapper.commitSession() again. * The new session is initialized and an Exception is thrown (i.e. gh-229). The SessionRepositoryFilter invokes SessionRepositoryRequestWrapper.commitSession() in the REQUEST dispatch. Then in the ERROR dispatch SessionRepositoryFilter invokes SessionRepositoryRequestWrapper.commitSession() invokes it again. This commit ensures if the same Session is passed into CookieHttpSessionStrategy multiple times within the same HttpServletRequest it is only written once by keeping track of the sessions on a request attribute. Fixes gh-251
Updated Description
After further feedback from @tsachev the issue is reproduced:
This happens because the wrapped request that is caching the current session is not there anymore. It is a new HttpServletRequest object that is no longer wrapped. Instead, we should save the
HttpSessionWrapper currentSession
in aHttpServletRequest
attribute.Original Description
If a request creates a new session and then forwards (
requestDispatcher.forward()
) to another servlet/view which tries to update the session - two session are created.if SessionRepositoryFilter is registered for
DisptcherType.FORWARD
- two spring sessions are created.if SessionRepositoryFilter is not registered for
DisptcherType.FORWARD
- one spring session is created and one tomcat session.I can see that two
Set-Cooke
headers are sent to the browser.The text was updated successfully, but these errors were encountered: