CDV ❯ request unwrapping can cause issues with clustered sessions

• Type: Bug
• Status: Open
• Priority: 2 Major
• Resolution:
• Component/s: Sessions
• Labels:

• Assignee: prodmgmt
• Reporter: teck
• Created: December 18, 2008
• Votes: 0
• Watchers: 0
• Updated:

  March 19, 2010
• Resolved:

Attachments

• teck (6.00 k) application/x-zip-compressed test.zip

Description

If someone deliberately “unwraps” the servlet request passed to their filter/servlet/jsp and calls getSession() on the unwrapped request, you can interact with the container’s native session manager and bypass terracotta. Worse yet is the container will drop a session cookie that overwrites the TC one

This only affects containers that use a servlet filter for TC session integration (ie. anything that is not tomcat based, so I think this means weblogic, webshpere and some versions of the jetty integration)

Comments