Affected version
All Spring Versions
Summary
MockHttpServletRequest.isRequestedSessionIdValid() currently defaults to true instead of being calculated, which does not match Jakarta Servlet 6.1 HttpServletRequest.isRequestedSessionIdValid().
Relevant API (Servlet 6.1):
- getRequestedSessionId() —
null if the client did not specify a session ID.
- isRequestedSessionIdValid() — returns
false if the client did not specify any session ID; otherwise reflects whether the requested id corresponds to a valid session in the current context.
- changeSessionId() — assigns a new id to the current session (the incoming requested id is then stale until the client is updated).
Minimal sample
- No client session id — expected per Javadoc:
isRequestedSessionIdValid() is false; actual today: true.
MockHttpServletRequest request = new MockHttpServletRequest();
assertThat(request.getRequestedSessionId()).isNull();
assertThat(request.isRequestedSessionIdValid()).isFalse(); // fails today
- Session id rotation — after
changeSessionId(), the requested id no longer matches the session; expected: isRequestedSessionIdValid() is false; actual today: still true unless manually toggled. This breaks Spring Security tests and we must work around it by extending MockHttpServletRequest so that changeSessionId() invokes setRequestedSessionIdValid(false).
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpSession session = new MockHttpSession();
request.setSession(session);
request.setRequestedSessionId(session.getId());
String previousRequestedId = request.getRequestedSessionId();
request.changeSessionId();
assertThat(session.getId()).isNotEqualTo(previousRequestedId);
assertThat(request.getRequestedSessionId()).isEqualTo(previousRequestedId);
assertThat(request.isRequestedSessionIdValid()).isFalse(); // fails today
Additional Considerations
At times users are not using MockHttpServletRequest directly. For example, when using MockMvc users are leveraging the builders provided with MockMvc and thus cannot easily extend/override MockHttpServletRequest.
Possible Solution
While it is going to cause breaking changes, one solution might be to change the member variable (leave the accessors) isRequestedSessionIdValid to be a Boolean. If it is null (default), then the logic for isRequestedSessionIdValid should align with the Javadoc. IfisRequestedSessionIdValid is explicitly set, then use the explicitly set value.
Affected version
All Spring Versions
Summary
MockHttpServletRequest.isRequestedSessionIdValid()currently defaults totrueinstead of being calculated, which does not match Jakarta Servlet 6.1HttpServletRequest.isRequestedSessionIdValid().Relevant API (Servlet 6.1):
nullif the client did not specify a session ID.falseif the client did not specify any session ID; otherwise reflects whether the requested id corresponds to a valid session in the current context.Minimal sample
isRequestedSessionIdValid()isfalse; actual today:true.changeSessionId(), the requested id no longer matches the session; expected:isRequestedSessionIdValid()isfalse; actual today: stilltrueunless manually toggled. This breaks Spring Security tests and we must work around it by extendingMockHttpServletRequestso thatchangeSessionId()invokessetRequestedSessionIdValid(false).Additional Considerations
At times users are not using
MockHttpServletRequestdirectly. For example, when usingMockMvcusers are leveraging the builders provided withMockMvcand thus cannot easily extend/overrideMockHttpServletRequest.Possible Solution
While it is going to cause breaking changes, one solution might be to change the member variable (leave the accessors)
isRequestedSessionIdValidto be aBoolean. If it isnull(default), then the logic forisRequestedSessionIdValidshould align with the Javadoc. IfisRequestedSessionIdValidis explicitly set, then use the explicitly set value.