Skip to content

Should throw an IllegalStateException when creating a session after the response body is committed #1798

New issue
New issue
Closed
Closed
Should throw an IllegalStateException when creating a session after the response body is committed#1798
Assignees
eleftherias
Labels
in: corestatus: backportedAn issue that has been backported to maintenance branchestype: bugA general bug
Milestone
 
2.5.0-RC1
@ypji

Description

@ypji
ypji
opened on Mar 11, 2021

Describe the bug
If the response has been committed, HttpServletRequest#createSession(true) should throw an IllegalArgumentException. But the spring-session-data-redis doesn't do this, it still creates an HttpSession, and client cannot receive the Cookie header.

Here's the javadoc description of HttpServletRequest.java

    /**
     * Returns the current <code>HttpSession</code> associated with this request
     * or, if there is no current session and <code>create</code> is true,
     * returns a new session.
     * <p>
     * If <code>create</code> is <code>false</code> and the request has no valid
     * <code>HttpSession</code>, this method returns <code>null</code>.
     * <p>
     * To make sure the session is properly maintained, you must call this
     * method before the response is committed. If the container is using
     * cookies to maintain session integrity and is asked to create a new
     * session when the response is committed, an IllegalStateException is
     * thrown.
     *
     * @param create
     *            <code>true</code> to create a new session for this request if
     *            necessary; <code>false</code> to return <code>null</code> if
     *            there's no current session
     * @return the <code>HttpSession</code> associated with this request or
     *         <code>null</code> if <code>create</code> is <code>false</code>
     *         and the request has no valid session
     * @see #getSession()
     */
    public HttpSession getSession(boolean create);

To Reproduce

    @Controller
    @RequestMapping("/test")
    public static class AbcController {
        @GetMapping("/")
        public void exec(HttpServletRequest request,
                         HttpServletResponse response) throws Exception {
            response.setHeader("Content-Type", "text/plain");
            response.getWriter().write("ABC\r\n");
            response.getWriter().flush(); // FLUSH THE OUTPUT STREAM.
            System.out.println(request.getSession().getId()); // SESSION SHOULDN'T BE CREATED NORMALLY.
        }
    }

Expected behavior
An IllegalArgumentException should be thrown.

Sample

Sample Project.

  1. Clone the project(main branch).
  2. Change the redis connection info in application.properties.
  3. Start the main class.
  4. curl -vvv http://localhost:8080/test/. Check the log and curl response headers.

Metadata

Metadata

Assignees

Labels

in: corestatus: backportedAn issue that has been backported to maintenance branchestype: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions