UNDERTOW-1006 CachedAuthenticatedSessionHandler will change session i…

…d even if caching is not required
undertow-io · Mar 20, 2017 · 2385677 · 2385677
1 parent 75f4a24
commit 2385677
Showing 1 changed file with 13 additions and 13 deletions.
diff --git a/...rc/main/java/io/undertow/servlet/handlers/security/CachedAuthenticatedSessionHandler.java b/...rc/main/java/io/undertow/servlet/handlers/security/CachedAuthenticatedSessionHandler.java
@@ -85,21 +85,21 @@ public void handleNotification(SecurityNotification notification) {
             HttpSessionImpl httpSession = servletContext.getSession(notification.getExchange(), false);
             switch (eventType) {
                 case AUTHENTICATED:
-                    if(servletContext.getDeployment().getDeploymentInfo().isChangeSessionIdOnLogin()) {
-                        if (httpSession != null) {
-                            Session session = underlyingSession(httpSession);
-                            if (!httpSession.isNew() &&
-                                    !httpSession.isInvalid() &&
-                                    session.getAttribute(NO_ID_CHANGE_REQUIRED) == null) {
-                                ServletRequestContext src = notification.getExchange().getAttachment(ServletRequestContext.ATTACHMENT_KEY);
-                                src.getOriginalRequest().changeSessionId();
-                            }
-                            if(session.getAttribute(NO_ID_CHANGE_REQUIRED) == null) {
-                                session.setAttribute(NO_ID_CHANGE_REQUIRED, true);
+                    if (isCacheable(notification)) {
+                        if(servletContext.getDeployment().getDeploymentInfo().isChangeSessionIdOnLogin()) {
+                            if (httpSession != null) {
+                                Session session = underlyingSession(httpSession);
+                                if (!httpSession.isNew() &&
+                                        !httpSession.isInvalid() &&
+                                        session.getAttribute(NO_ID_CHANGE_REQUIRED) == null) {
+                                    ServletRequestContext src = notification.getExchange().getAttachment(ServletRequestContext.ATTACHMENT_KEY);
+                                    src.getOriginalRequest().changeSessionId();
+                                }
+                                if(session.getAttribute(NO_ID_CHANGE_REQUIRED) == null) {
+                                    session.setAttribute(NO_ID_CHANGE_REQUIRED, true);
+                                }
                             }
                         }
-                    }
-                    if (isCacheable(notification)) {
                         if(httpSession == null) {
                             httpSession = servletContext.getSession(notification.getExchange(), true);
                         }