When a client sends a request with a non-existent session cookie, JBoss EAP 7 / RHSSO responds with an incorrect JSESSIONID Cookie reusing the non-existent session id
Issue
- When a client sends a request with a non-existent session cookie to a web application which does not use HttpSession (for example, just static HTML page or using their own custom cookie in the application), JBoss EAP 7 responds with an incorrect JSESSIONID response cookie as it reuses the requested non-existent session id.
- When a client sends a request with a non-existent JSESSIONID Cookie to the "/auth" application on RHSSO, RHSSO responds with JSESSIONID response cookie reusing the requested non-existent session id incorrectly.
Environment
- Red Hat JBoss Enterprise Application Platform (EAP)
- 7.x
- Red Hat Single Sign-On (RHSSO)
- 7.x
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.