Resolution: Won't Fix
Affects Version/s: 7.0.X, 7.1.X, 7.2.X, 7.3.X, 7.4.X, Master
Fix Version/s: None
Steps to reproduce:
- Start a portal
- Attach a debugger to portal
- Set a breakpoint at first line in invokerFilterChain.doFilter(), at condition of ((HttpServletRequest)servletRequest).getRequestURL() != null && !((HttpServletRequest)servletRequest).getRequestURL() .contains("/c")"
- Add a watch point: ((HttpServletRequest)servletRequest).getSession(false)
- Access portal, for example, at localhost:8080
- Verify the watch point is null
- Disable the breakpoint, and let go
- Login to portal
- Enable the breakpoint
- Logout from portal
Expected: watch point is null
Actual: watch point is not null
The log out process:
- Portal first process /c/portal/logout, session is invalidated, then sends a response to redirect to /c.
- portal receives request of /c, notice with no existing session. During processing /c, a new session is created because of calling httpServletRequest.getSession(), and sends a response to redirect to portal home, /home.
- portal receives request of /home with a session that is left over from processing /c.
During processing http://localhost:8080/c, the portal go through several filters, including AuditFilter.java, Secure filter.java which creates a new session with httpServeletRequest.getSession() or calls to Portal.getUser() that creates new session.