Cookie issue when using DWR 3.0.1 with Jetty

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Cookie issue when using DWR 3.0.1 with Jetty

uwolfer
I have noticed an issue when using DWR 3.0.1 with Jetty 9.2.

Since requests (Request instances) are recycled in Jetty, there is an
issue with the flow. The issue is that cookies are not available anymore
with Request#getCookies. It might also lead in wrong CSRF handling since
this code is not called anymore (if (request.getCookies() == null)
return).

The following fix works for me:


BaseSleeper.java
      private void doClose()
      {
-        close();
          if (onClose != null)
          {
              onClose.run();
          }
+        close();
      }


Let's try to explain the flow:
BaseSleeper#doClose
->
BaseSleeper#close
->
org.eclipse.jetty.server.AsyncContextState#complete
...->
org.eclipse.jetty.server.Request#recycle
->
resets _cookiesExtracted (=false)

then:
BasePollHandler Runnable onClose
->
BaseDwrpHandler#updateCsrfState
->
org.eclipse.jetty.server.Request#getCookies
->
parses the already recycle request which obviously has no cookies more
and sets _cookiesExtracted=true. Then when the request instance gets
used again, it does not parse cookies anymore.

There are related discussions for Jetty (but not related to DWR) ([1],
[2]). It is not optimal that Jetty caches parsed cookies that way, but
it is IMHO wrong that DWR tries to get cookies after a request has been
closed (and returned to pool in case of Jetty).

[1]
http://stackoverflow.com/questions/25800311/jetty-server-7-6-9-loosing-cookie-in-ajax-and-high-concurrency-situation
[2]
http://jetty.4.x6.nabble.com/Jetty-6-1-11-creates-new-session-when-there-is-old-session-td37304.html

Bye
urs
Reply | Threaded
Open this post in threaded view
|

Re: Cookie issue when using DWR 3.0.1 with Jetty

david@butterdev.com
I have created an issue for this so we can look into it:
https://directwebremoting.atlassian.net/browse/DWR-653

On 2015-12-22 01:04, Urs Wolfer wrote:

> I have noticed an issue when using DWR 3.0.1 with Jetty 9.2.
>
> Since requests (Request instances) are recycled in Jetty, there is an
> issue with the flow. The issue is that cookies are not available
> anymore with Request#getCookies. It might also lead in wrong CSRF
> handling since this code is not called anymore (if
> (request.getCookies() == null) return).
>
> The following fix works for me:
>
>
> BaseSleeper.java
>      private void doClose()
>      {
> -        close();
>          if (onClose != null)
>          {
>              onClose.run();
>          }
> +        close();
>      }
>
>
> Let's try to explain the flow:
> BaseSleeper#doClose
> ->
> BaseSleeper#close
> ->
> org.eclipse.jetty.server.AsyncContextState#complete
> ...->
> org.eclipse.jetty.server.Request#recycle
> ->
> resets _cookiesExtracted (=false)
>
> then:
> BasePollHandler Runnable onClose
> ->
> BaseDwrpHandler#updateCsrfState
> ->
> org.eclipse.jetty.server.Request#getCookies
> ->
> parses the already recycle request which obviously has no cookies more
> and sets _cookiesExtracted=true. Then when the request instance gets
> used again, it does not parse cookies anymore.
>
> There are related discussions for Jetty (but not related to DWR) ([1],
> [2]). It is not optimal that Jetty caches parsed cookies that way, but
> it is IMHO wrong that DWR tries to get cookies after a request has
> been closed (and returned to pool in case of Jetty).
>
> [1]
> http://stackoverflow.com/questions/25800311/jetty-server-7-6-9-loosing-cookie-in-ajax-and-high-concurrency-situation
> [2]
> http://jetty.4.x6.nabble.com/Jetty-6-1-11-creates-new-session-when-there-is-old-session-td37304.html
>
> Bye
> urs