HttpServletRequest.changeSessionId() impacts previous references

Previously, if a user had a reference to an existing HttpSession and changed the session id, it would not work. For example: HttpSession s = request.getSession(); request.changeSessionId(); s.setAttribute(...); This commit fixes holding on to a reference of an HttpSession when the session id is changed. Fixes gh-227
2015-07-27 15:25:58 -05:00
parent 4c24384243
commit b79913240d
2 changed files with 12 additions and 3 deletions
--- a/spring-session/src/main/java/org/springframework/session/web/http/SessionRepositoryFilter.java
+++ b/spring-session/src/main/java/org/springframework/session/web/http/SessionRepositoryFilter.java
@@ -191,7 +191,7 @@ public class SessionRepositoryFilter<S extends ExpiringSession> extends OncePerR
 			}
 		}

-		@SuppressWarnings("unused")
+		@SuppressWarnings({ "unused", "unchecked" })
 		public String changeSessionId() {
 			HttpSession session = getSession(false);

@@ -210,9 +210,12 @@ public class SessionRepositoryFilter<S extends ExpiringSession> extends OncePerR
 			}

 			sessionRepository.delete(session.getId());
+			HttpSessionWrapper original = currentSession;
 			currentSession = null;

 			HttpSession newSession = getSession();
+			original.session = ((HttpSessionWrapper)newSession).session;
+
 			newSession.setMaxInactiveInterval(session.getMaxInactiveInterval());
 			for(Map.Entry<String, Object> attr : attrs.entrySet()) {
 				String attrName = attr.getKey();
@@ -291,7 +294,7 @@ public class SessionRepositoryFilter<S extends ExpiringSession> extends OncePerR
 		 * @since 1.0
 		 */
 		private final class HttpSessionWrapper implements HttpSession {
-			private final S session;
+			private S session;
 			private final ServletContext servletContext;
 			private boolean invalidated;
 			private boolean old;
--- a/spring-session/src/test/java/org/springframework/session/web/http/SessionRepositoryFilterTests.java
+++ b/spring-session/src/test/java/org/springframework/session/web/http/SessionRepositoryFilterTests.java
@@ -472,7 +472,13 @@ public class SessionRepositoryFilterTests {
 		doFilter(new DoInFilter() {
 			@Override
 			public void doFilter(HttpServletRequest wrappedRequest) {
-				ReflectionTestUtils.invokeMethod(wrappedRequest, "changeSessionId");
+				HttpSession originalSession = wrappedRequest.getSession();
+				assertThat(originalSession.getId()).isEqualTo(originalSessionId);
+
+				String changeSessionId = ReflectionTestUtils.invokeMethod(wrappedRequest, "changeSessionId");
+				assertThat(changeSessionId).isNotEqualTo(originalSessionId);
+				// gh-227
+				assertThat(originalSession.getId()).isEqualTo(changeSessionId);
 			}
 		});