vertx-web
vertx-web copied to clipboard
vert-x3
Session is not removed from the `ClusteredSessionStore`, if the session is destroyed
Version
4.5.8
Context
We are using the SessionHandler together with an AuthenticationHandler.
Expected
If destroy() is called on a Session, we'd expect a session to be deleted from the SessionStore and further requests with this session are required to be re-authenticated.
Actual
In case of a LocalSessionStore, it is conforming with our expectation. However, in case of ClusteredSessionStore, the user-agent is able to do further requests without any re-authentication.
We assume the reason behind this, is that the state of the session is not synchronized with the session store. Only the session id, timeout, lastAccessed, version and data are synchronized, but the state further includes destroyed, renewed, oldId and crc.
@Override
public void writeToBuffer(Buffer buff) {
byte[] bytes = id().getBytes(UTF8);
buff.appendInt(bytes.length).appendBytes(bytes);
buff.appendLong(timeout());
buff.appendLong(lastAccessed());
buff.appendInt(version());
writeDataToBuffer(buff);
}
The functionality to remove the session from the session store in the SessionHandler upon a request with a destroyed session, is therefore not triggered. Therefore, a destroyed session can still be used (as similarly pointed out earlier https://github.com/vert-x3/vertx-web/issues/329#issuecomment-198337865).
Our proposed fix is to include the session state in the synchronization.
If the proposed fix is accepted, I volunteer to create a pull request.
