You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
But SessionHandlerImpl flushes the session with HeadersEnd Handler
privatevoidaddStoreSessionHandler(RoutingContextcontext) {
context.addHeadersEndHandler(v -> {
// skip flush if we already flushedBooleanflushed = context.get(SESSION_FLUSHED_KEY);
if (flushed == null || !flushed) {
flush(context, true, false)
.onFailure(err -> LOG.warn("Failed to flush the session to the underlying store", err));
}
});
}
So SessionHandlerImpl flushes the session on headers end, and then CSRFHandlerImpl updates the already flushed session, and no changes end up being saved in the session store.
Tests work because LocalSessionStore store raw session objects in the map. So when you update the session object, no flush is needed: next time you retrieve updated session object from the store. It won't work when sessions are serialized/deserialized in the store.
The text was updated successfully, but these errors were encountered:
Version
4.5.7
Context
Root cause seems to be in #2500 (#2447, #2460)
CSRFHandlerImpl updates the session with End Handler:
But SessionHandlerImpl flushes the session with HeadersEnd Handler
So SessionHandlerImpl flushes the session on headers end, and then CSRFHandlerImpl updates the already flushed session, and no changes end up being saved in the session store.
Tests work because LocalSessionStore store raw session objects in the map. So when you update the session object, no flush is needed: next time you retrieve updated session object from the store. It won't work when sessions are serialized/deserialized in the store.
The text was updated successfully, but these errors were encountered: