From b79913240da4283bf45fdbbcd7bdfa925e5fe832 Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@gopivotal.com>
Date: Mon, 27 Jul 2015 15:25:58 -0500
Subject: [PATCH] HttpServletRequest.changeSessionId() impacts previous
 references

Previously, if a user had a reference to an existing HttpSession and
changed the session id, it would not work. For example:

HttpSession s = request.getSession();
request.changeSessionId();
s.setAttribute(...);

This commit fixes holding on to a reference of an HttpSession when
the session id is changed.

Fixes gh-227
---
 .../session/web/http/SessionRepositoryFilter.java         | 7 +++++--
 .../session/web/http/SessionRepositoryFilterTests.java    | 8 +++++++-
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/spring-session/src/main/java/org/springframework/session/web/http/SessionRepositoryFilter.java b/spring-session/src/main/java/org/springframework/session/web/http/SessionRepositoryFilter.java
index 182500af..88700c89 100644
--- a/spring-session/src/main/java/org/springframework/session/web/http/SessionRepositoryFilter.java
+++ b/spring-session/src/main/java/org/springframework/session/web/http/SessionRepositoryFilter.java
@@ -191,7 +191,7 @@ public class SessionRepositoryFilter<S extends ExpiringSession> extends OncePerR
 			}
 		}
 
-		@SuppressWarnings("unused")
+		@SuppressWarnings({ "unused", "unchecked" })
 		public String changeSessionId() {
 			HttpSession session = getSession(false);
 
@@ -210,9 +210,12 @@ public class SessionRepositoryFilter<S extends ExpiringSession> extends OncePerR
 			}
 
 			sessionRepository.delete(session.getId());
+			HttpSessionWrapper original = currentSession;
 			currentSession = null;
 
 			HttpSession newSession = getSession();
+			original.session = ((HttpSessionWrapper)newSession).session;
+
 			newSession.setMaxInactiveInterval(session.getMaxInactiveInterval());
 			for(Map.Entry<String, Object> attr : attrs.entrySet()) {
 				String attrName = attr.getKey();
@@ -291,7 +294,7 @@ public class SessionRepositoryFilter<S extends ExpiringSession> extends OncePerR
 		 * @since 1.0
 		 */
 		private final class HttpSessionWrapper implements HttpSession {
-			private final S session;
+			private S session;
 			private final ServletContext servletContext;
 			private boolean invalidated;
 			private boolean old;
diff --git a/spring-session/src/test/java/org/springframework/session/web/http/SessionRepositoryFilterTests.java b/spring-session/src/test/java/org/springframework/session/web/http/SessionRepositoryFilterTests.java
index 365b34fa..61a73a9f 100644
--- a/spring-session/src/test/java/org/springframework/session/web/http/SessionRepositoryFilterTests.java
+++ b/spring-session/src/test/java/org/springframework/session/web/http/SessionRepositoryFilterTests.java
@@ -472,7 +472,13 @@ public class SessionRepositoryFilterTests {
 		doFilter(new DoInFilter() {
 			@Override
 			public void doFilter(HttpServletRequest wrappedRequest) {
-				ReflectionTestUtils.invokeMethod(wrappedRequest, "changeSessionId");
+				HttpSession originalSession = wrappedRequest.getSession();
+				assertThat(originalSession.getId()).isEqualTo(originalSessionId);
+
+				String changeSessionId = ReflectionTestUtils.invokeMethod(wrappedRequest, "changeSessionId");
+				assertThat(changeSessionId).isNotEqualTo(originalSessionId);
+				// gh-227
+				assertThat(originalSession.getId()).isEqualTo(changeSessionId);
 			}
 		});