Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-19090

SharedSessionServletRequest doesn't correctly handle session invalidation

    Details

    • Branch Version/s:
      6.0.x

      Description

      My portlet has private-session-attributes set to false. When I invalidate the session and ask the httpServletRequest for new one I'm receiving still the original session which was invalidated.

      Steps to reproduce:
      1. create portlet and in liferay-portlet.xml set private-session-attributes element to false
      2. run following code from your portlet:

      HttpServletRequest servletRequest = PortalUtil.getHttpServletRequest(portletRequest);
      HttpSession session = servletRequest.getSession(true);
      session.invalidate();
      session = servletRequest.getSession(true);
      session.setAttribute("foo", "bar"); //at this point you get the java.lang.IllegalStateException: Session already invalidated
      

      The problem is in SharedSessionServletRequest - it holds reference to session created in constructor. And doesn't create new one if when to original session has been invalidated.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                9 years, 4 weeks, 3 days ago

                Packages

                Version Package