session not invalidated properly getting error UT000010: Session is invalid

161 views Asked by At

I upgraded Struts version 2.3 to 6.0. It's built successfully but when I am trying to login to the application I am getting

UT000010: Session is invalid HubC5VAM4TUaSwQgPtLbbmAEXTAZii0VTrfXfNJw

on the browser.

I am using wildfly 24+ Struts 6.0

Error stack:

1:21:41,611 INFO  [stdout] (default task-1) 2024-02-19 01:21:41,602 ERROR [org.apache.struts2.dispatcher.DefaultDispatcherErrorHandler] Exception occurred during processing request: UT000010: Session is invalid HubC5VAM4TUaSwQgPtLbbmAEXTAZii0VTrfXfNJw

01:21:41,611 INFO  [stdout] (default task-1) java.lang.IllegalStateException: UT000010: Session is invalid HubC5VAM4TUaSwQgPtLbbmAEXTAZii0VTrfXfNJw

01:21:41,611 INFO  [stdout] (default task-1)    at io.undertow.server.session.InMemorySessionManager$SessionImpl.getAttribute(InMemorySessionManager.java:519) ~[undertow-core-2.2.8.Final.jar!/:2.2.8.Final]

01:21:41,611 INFO  [stdout] (default task-1)    at io.undertow.servlet.spec.HttpSessionImpl.getAttribute(HttpSessionImpl.java:122) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]

01:21:41,611 INFO  [stdout] (default task-1)    at org.apache.struts2.dispatcher.SessionMap.get(SessionMap.java:157) ~[struts2-core-6.0.0.jar:6.0.0]

01:21:41,611 INFO  [stdout] (default task-1)    at org.apache.struts2.dispatcher.SessionMap.put(SessionMap.java:175) ~[struts2-core-6.0.0.jar:6.0.0]

01:21:41,612 INFO  [stdout] (default task-1)    at org.apache.struts2.interceptor.csp.DefaultCspSettings.associateNonceWithSession(DefaultCspSettings.java:90) ~[struts2-core-6.0.0.jar:6.0.0]

01:21:41,612 INFO  [stdout] (default task-1)    at org.apache.struts2.interceptor.csp.DefaultCspSettings.addCspHeaders(DefaultCspSettings.java:78) ~[struts2-core-6.0.0.jar:6.0.0]

01:21:41,612 INFO  [stdout] (default task-1)    at org.apache.struts2.interceptor.csp.CspInterceptor.beforeResult(CspInterceptor.java:49) ~[struts2-core-6.0.0.jar:6.0.0]

01:21:41,612 INFO  [stdout] (default task-1)    at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:274) ~[struts2-core-6.0.0.jar:6.0.0]

01:21:41,612 INFO  [stdout] (default task-1)    at com.ge.hca.torch.presentation.securityfilter.TorchTokenSessionStoreInterceptor.doIntercept(TorchTokenSessionStoreInterceptor.java:176) ~[classes:?]

01:21:41,612 INFO  [stdout] (default task-1)    at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99) ~[struts2-core-6.0.0.jar:6.0.0]

01:21:41,612 INFO  [stdout] (default task-1)    at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:251) ~[struts2-core-6.0.0.jar:6.0.0]

01:21:41,613 INFO  [stdout] (default task-1)    at org.apache.struts2.factory.StrutsActionProxy.execute(StrutsActionProxy.java:48) ~[struts2-core-6.0.0.jar:6.0.0]

01:21:41,613 INFO  [stdout] (default task-1)    at org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:637) ~[struts2-core-6.0.0.jar:6.0.0]

01:21:41,613 INFO  [stdout] (default task-1)    at org.apache.struts2.dispatcher.ExecuteOperations.executeAction(ExecuteOperations.java:79) ~[struts2-core-6.0.0.jar:6.0.0]

01:21:41,613 INFO  [stdout] (default task-1)    at org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:140) ~[struts2-core-6.0.0.jar:6.0.0]

01:21:41,613 INFO  [stdout] (default task-1)    at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]

01:21:41,613 INFO  [stdout] (default task-1)    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]

01:21:41,613 INFO  [stdout] (default task-1)    at com.ge.hca.torch.presentation.securityfilter.SqlInjectionAndXSSFilter.doFilter(SqlInjectionAndXSSFilter.java:79) ~[classes:?]

01:21:41,613 INFO  [stdout] (default task-1)    at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]

01:21:41,614 INFO  [stdout] (default task-1)    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]

01:21:41,614 INFO  [stdout] (default task-1)    at com.ge.hca.torch.presentation.securityfilter.AccessFilter.doFilter(AccessFilter.java:86) ~[classes:?]

01:21:41,614 INFO  [stdout] (default task-1)    at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]

01:21:41,614 INFO  [stdout] (default task-1)    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]

01:21:41,614 INFO  [stdout] (default task-1)    at org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) ~[log4j-web-2.17.1.jar:2.17.1]

01:21:41,614 INFO  [stdout] (default task-1)    at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]

01:21:41,614 INFO  [stdout] (default task-1)    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]

01:21:41,614 INFO  [stdout] (default task-1)    at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]

01:21:41,614 INFO  [stdout] (default task-1)    at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]

01:21:41,615 INFO  [stdout] (default task-1)    at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]

01:21:41,615 INFO  [stdout] (default task-1)    at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]

01:21:41,615 INFO  [stdout] (default task-1)    at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) ~[?:?]

01:21:41,615 INFO  [stdout] (default task-1)    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.2.8.Final.jar!/:2.2.8.Final]

01:21:41,615 INFO  [stdout] (default task-1)    at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]

This is my login action code

            if(null==mode)
            {
                HttpSession session = getServletRequest().getSession(false);
                log.debug(session + "" + getServletRequest().getSession(false));
                if (null != session) 
                {
                    session.invalidate();                   
                }
                //removed form above if condition during migration of struts2 as struts1 session was created in locale settings
                session = getServletRequest().getSession(true);
            }           
            userVO=(UserVO)getSessionObject(getServletRequest(),TorchConstants.GLOBAL_USERINFO_KEY);

this is my session code of login action parent class code

   protected Object getSessionObject(HttpServletRequest req, String attrName) {
        HttpSession httpSession = null;
        httpSession = req.getSession(false);
        Object obj = null;
        if (null != httpSession) {
            obj = httpSession.getAttribute(attrName);
        }
        return obj;
    }

not getting how to handle this situation.

1

There are 1 answers

18
Roman C On

You are not allowed to use an old session after it was invalidated. In the action you have invalidated a http session.

It is a servlet session object which should be avoided in the typical Struts2 application. Instead you should use a SessionMap.

Then you continued to reuse an old session which was kept in the SessionMap when beforeResult is executed. You have also didn't update Struts2 action context that keeps a SessionMap object.

If your action class implements SessionAware then a session map is injected into the action instance. If you use the reference then it should also be updated. If you use ActionContext then update an action context.

It you create a new SessionMap object then a new http session will be initialized inside, but you loose attributes from the old session.

If you want to know how to renew a SessionMap that will use a new http session and transfer the old session attributes then see Struts 2 session invalidation with setting request session to a new session answer.