• Bug
  • Status: Open
  • 2 Major
  • Resolution:
  • Sessions
  • prodmgmt
  • Reporter: teck
  • December 18, 2008
  • 0
  • Watchers: 0
  • March 19, 2010


  • teck (6.00 k) application/x-zip-compressed test.zip


If someone deliberately “unwraps” the servlet request passed to their filter/servlet/jsp and calls getSession() on the unwrapped request, you can interact with the container’s native session manager and bypass terracotta. Worse yet is the container will drop a session cookie that overwrites the TC one

This only affects containers that use a servlet filter for TC session integration (ie. anything that is not tomcat based, so I think this means weblogic, webshpere and some versions of the jetty integration)