search

ops4j / org.ops4j.pax.web

OSGi R7 Http Service, Whiteboard and Web Applications (OSGi CMPN Release chapters 102, 140 and 128) implementation using Jetty 9, Tomcat 9 or Undertow 2.
https://ops4j1.jira.com/wiki/display/paxweb/Pax+Web
Other
142 stars 184 forks source link

The PaxWebSessionHandler generates incorrect session value when whiteboard.context.name contains a dot #1958

Open PeterSuna opened 3 weeks ago

PeterSuna commented 3 weeks ago

When using whiteboard.context.name with the dot '.' character in an application, a new session cookie value is created with every request. The issue arises from the incorrect appending of the value after the dot with each request, leading to a long session value.

According to the provided whiteboard.context.name definitions, using a dot character in context.name should be allowed:

However, when the context.name is set to value "apidoc.id", the ".id" value is appended with every request, resulting in the session value: "node01jmi7pmi7j6b8f3dwvof7xlpw3.id.id.id.id.id.id.id.id.id.id.id.id.id.id.id.id.node0"

This behavior occurs due to the following line of code in the PaxWebSessionHandler class, which takes the index of the first dot character after the tilde character: https://github.com/ops4j/org.ops4j.pax.web/blob/a836e4847b6a339d1d1bc826080bb484cb3b9aa0/pax-web-jetty/src/main/java/org/ops4j/pax/web/service/jetty/internal/PaxWebSessionHandler.java#L51

For example, given: eid = node01jmi7pmi7j6b8f3dwvof7xlpw3~apidoc##apidoc.id.node0

The getExtendedId method returns: node01jmi7pmi7j6b8f3dwvof7xlpw3 + .id.node0

Instead of: node01jmi7pmi7j6b8f3dwvof7xlpw3 + .node0

grgrzybek commented 2 weeks ago

Good find @PeterSuna - this code is not the best one I've ever wrote and it's related to awkward "session per OSGi context" implementation for a runtime that doesn't support this.

Thanks for providing a reproducer, I'll check this soon!