Bug 54999

Summary: JSESSIONIDSSO not re-created upon re-authentication on the same request - logout() and login(username,password)
Product: Tomcat 7 Reporter: Keith Mashinter <kmashint>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 7.0.40   
Target Milestone: ---   
Hardware: PC   
OS: Windows XP   
Attachments: Fix for Bug 54999 to ensure JSESSIONIDSSO can be re-created

Description Keith Mashinter 2013-05-21 19:50:48 UTC
In testing I found that the JSESSIONIDSSO was not re-created upon re-authentication via logout() and login(username,password) in the same request.  The problem stemmed from the REQ_SSOID_NOTE that was was not reset upon request.logout(), whereas the documentation indicates that a logout() from any web-app should logout() from all web-apps.  When the REQ_SSOID_NOTE is not removed upon logout(), a subsequent login(username,password) on the same request will re-create a JSESSIONID for the current web-app but fails to re-create a JSESSIONIDSSO since the REQ_SSO_ID_NOTE still lingers on the request.

AuthenticatorBase.java adjustment for logout(request) that removes the REQ_SSOID_NOTE so that a subsequent login(username,password) will work on the same request:

    @Override
    public void logout(Request request) throws ServletException {
        register(request, request.getResponse(), null,
                null, null, null);
    	request.removeNote(Constants.REQ_SSOID_NOTE);
    }

I'll upload a diff-patch against the trunk and for 7.0.40.
Comment 1 Keith Mashinter 2013-05-22 13:18:26 UTC
Created attachment 30313 [details]
Fix for Bug 54999 to ensure JSESSIONIDSSO can be re-created

In the Bug comments I chose to @override the AuthenticatorBase logout(Request)  but the more self-consistent place to patch this seems to be in AuthenticatorBase.register(Request,...) that I've done here against the tc7.0.x/trunk/tc7.0.x/java/org/apache/catalina/authenticator/AuthenticatorBase.java.
Comment 2 Mark Thomas 2013-05-30 13:54:12 UTC
Thanks for the report, analysis and patch. It all looks good to me.

I have applied the patch to trunk and 7.0.x and the fix will be included in 7.0.41 onwards.