Jetty 9.4.x 7801 duplicate set session cookies (#7809)

janbartel · web-flow · commit ff2cb453f552 · 2022-06-08T10:14:54.000+10:00
* Issue #7801 Duplicate session cookies after session id change. Signed-off-by: Jan Bartel <janb@webtide.com>
diff --git a/jetty-security/src/test/java/org/eclipse/jetty/security/ConstraintTest.java b/jetty-security/src/test/java/org/eclipse/jetty/security/ConstraintTest.java
@@ -1013,7 +1013,6 @@ public void testFormRedirect() throws Exception
             "Cookie: JSESSIONID=" + session + "\r\n" +
             "\r\n");
         assertThat(response, startsWith("HTTP/1.1 200 OK"));
-        assertThat(response, containsString("JSESSIONID=" + session));
 
         response = _connector.getResponse("GET /ctx/admin/info HTTP/1.0\r\n" +
             "Cookie: JSESSIONID=" + session + "\r\n" +
diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/session/AbstractSessionCache.java b/jetty-server/src/main/java/org/eclipse/jetty/server/session/AbstractSessionCache.java
@@ -548,6 +548,9 @@ public void release(String id, Session session) throws Exception
             //don't do anything with the session until the last request for it has finished
             if ((session.getRequests() <= 0))
             {
+                //reset the idchanged flag
+                session.setIdChanged(false);
+                
                 //save the session
                 if (!_sessionDataStore.isPassivating())
                 {
diff --git a/tests/test-sessions/test-sessions-common/src/test/java/org/eclipse/jetty/server/session/SessionRenewTest.java b/tests/test-sessions/test-sessions-common/src/test/java/org/eclipse/jetty/server/session/SessionRenewTest.java
@@ -40,6 +40,7 @@
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertNotSame;
+import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
@@ -183,8 +184,6 @@ public void doTest(RenewalVerifier verifier) throws Exception
         String contextPath = "";
         String servletMapping = "/server";
         WebAppContext context = _server.addWebAppContext(".", contextPath);
-        TestHttpChannelCompleteListener scopeListener = new TestHttpChannelCompleteListener();
-        _server.getServerConnector().addBean(scopeListener);
         context.setParentLoaderPriority(true);
         context.addServlet(TestServlet.class, servletMapping);
         TestHttpSessionIdListener testListener = new TestHttpSessionIdListener();
@@ -199,33 +198,29 @@ public void doTest(RenewalVerifier verifier) throws Exception
             client.start();
 
             //make a request to create a session
-            CountDownLatch synchronizer = new CountDownLatch(1);
-            scopeListener.setExitSynchronizer(synchronizer);
             ContentResponse response = client.GET("http://localhost:" + port + contextPath + servletMapping + "?action=create");
             assertEquals(HttpServletResponse.SC_OK, response.getStatus());
-
-            //ensure request has finished being handled
-            synchronizer.await(5, TimeUnit.SECONDS);
             
             String sessionCookie = response.getHeaders().get("Set-Cookie");
             assertTrue(sessionCookie != null);
             assertFalse(testListener.isCalled());
 
             //make a request to change the sessionid
-            synchronizer = new CountDownLatch(1);
-            scopeListener.setExitSynchronizer(synchronizer);
             Request request = client.newRequest("http://localhost:" + port + contextPath + servletMapping + "?action=renew");
             ContentResponse renewResponse = request.send();
             assertEquals(HttpServletResponse.SC_OK, renewResponse.getStatus());
-           
-            //ensure request has finished being handled
-            synchronizer.await(5, TimeUnit.SECONDS);
             
             String renewSessionCookie = renewResponse.getHeaders().get("Set-Cookie");
             assertNotNull(renewSessionCookie);
             assertNotSame(sessionCookie, renewSessionCookie);
             assertTrue(testListener.isCalled());
 
+            //make another request and check the cookie isn't set again
+            request = client.newRequest("http://localhost:" + port + contextPath + servletMapping + "?action=check");
+            ContentResponse checkResponse = request.send();
+            assertEquals(HttpServletResponse.SC_OK, checkResponse.getStatus());
+            assertNull(checkResponse.getHeaders().get("Set-Cookie"));
+
             if (verifier != null)
                 verifier.verify(context, TestServer.extractSessionId(sessionCookie), TestServer.extractSessionId(renewSessionCookie));
         }
@@ -315,10 +310,10 @@ else if ("renew".equals(action))
 
                 assertTrue(sessionIdManager.isIdInUse(afterSessionId)); //new session id should be in use
                 assertFalse(sessionIdManager.isIdInUse(beforeSessionId));
-
-
-                if (((Session)afterSession).isIdChanged())
-                    ((org.eclipse.jetty.server.Response)response).replaceCookie(sessionManager.getSessionCookie(afterSession, request.getContextPath(), request.isSecure()));
+            }
+            else
+            {
+                request.getSession(false);
             }
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -548,6 +548,9 @@ public void release(String id, Session session) throws Exception`
`548`	`548`	`//don't do anything with the session until the last request for it has finished`
`549`	`549`	`if ((session.getRequests() <= 0))`
`550`	`550`	`{`
	`551`	`+ //reset the idchanged flag`
	`552`	`+ session.setIdChanged(false);`
	`553`	`+`
`551`	`554`	`//save the session`
`552`	`555`	`if (!_sessionDataStore.isPassivating())`
`553`	`556`	`{`