Bug 1379485 - [GSS] (6.4.z) JvmRouteValve resets cookie max-age
Summary: [GSS] (6.4.z) JvmRouteValve resets cookie max-age
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Clustering
Version: 6.4.6
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: CR1
: EAP 6.4.12
Assignee: Paul Ferraro
QA Contact: Jiří Bílek
URL:
Whiteboard: eap6412-proposed
Depends On:
Blocks: eap6412-payload
TreeView+ depends on / blocked
 
Reported: 2016-09-26 23:43 UTC by dereed
Modified: 2020-03-11 15:16 UTC (History)
7 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2017-01-17 13:11:46 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2772251 0 None None None 2016-11-17 22:38:35 UTC

Description dereed 2016-09-26 23:43:03 UTC 
When the JvmRouteValve resets the session cookie, it hard-codes max-age to -1.
It should use the max-age configured for the session cookie.

org.jboss.as.web.session.AbstractSessionManager#setNewSessionCookie

    // JBAS-6206. Configure cookie a la o.a.c.connector.Request.configureSessionCookie()
    cookie.setMaxAge(-1);
    ...

However Request.configureSessionCookie has instead:

    cookie.setMaxAge(context.getSessionCookie().getMaxAge());

It appears the code was copied long ago before max-age was added to the session cookie configuration, and not kept in sync.
Comment 3 Paul Ferraro 2016-10-03 21:02:34 UTC 
https://github.com/jbossas/jboss-eap/pull/2856
Comment 4 Jiří Bílek 2016-11-08 12:41:04 UTC 
Verified with EAP 6.4.12.CP.CR1
Comment 5 Petr Penicka 2017-01-17 13:11:46 UTC 
Retroactively bulk-closing issues from released EAP 6.4 cummulative patches.
Note You need to log in before you can comment on or make changes to this bug.