Important Notice - Forums is archived

To simplify things and help our users to be more productive, we have archived the current forum and focus our efforts on helping developers on Stack Overflow. You can post new questions on Stack Overflow or join our Discord channel.

Product icon

Vaadin lets you build secure, UX-first PWAs entirely in Java.
Free ebook & tutorial.

Heartbeat during the request calling reinitializeSession causes Session Tim

Michael C
5 years ago May 26, 2016 11:35am

We are using VaadinService.reinitializeSession to prevent session fixation attacks.
We're encountering a problem however whereby if a heartbeat occurs during the processing of the request that calls reinitializeSession, then the Session Timeout banner is displayed. This is due to the queued up heartbeat request having the JSESSIONID of the old, now invalidated, session.
Has anybody else seen this? Obviously the window for it to happen is quite small - to reproduce reliably we've had to insert a Thread.sleep delay into the request that calls reinitializeSession, and manually time it to coincide with the next heartbeat.

Michael C
5 years ago Jun 07, 2016 2:47pm