Issue #10804 isRequestedSessionId should be false for invalid session (#10807)

* Issue #10804 isRequestedSessionId should be false for invalid session

Author: janbartel

jetty-ee10/jetty-ee10-servlet/src/main/java/org/eclipse/jetty/ee10/servlet/ServletApiRequest.java

@@ -83,6 +83,7 @@
 import org.eclipse.jetty.server.Session;
 import org.eclipse.jetty.session.AbstractSessionManager;
 import org.eclipse.jetty.session.ManagedSession;
+import org.eclipse.jetty.session.SessionManager;
 import org.eclipse.jetty.util.Callback;
 import org.eclipse.jetty.util.Fields;
 import org.eclipse.jetty.util.HostPort;
@@ -161,9 +162,9 @@ public ServletRequestInfo getServletRequestInfo()
 
     /**
      * @return The core {@link Request} associated with the servlet API request. This may differ
-     *         from {@link ServletContextRequest} as wrapped by the {@link ServletContextHandler} as it
-     *         may have been further wrapped before being passed
-     *         to {@link ServletChannel#associate(Request, Response, Callback)}.
+     * from {@link ServletContextRequest} as wrapped by the {@link ServletContextHandler} as it
+     * may have been further wrapped before being passed
+     * to {@link ServletChannel#associate(Request, Response, Callback)}.
      * @see #getServletRequestInfo()
      * @see ServletChannel#associate(Request, Response, Callback)
      */
@@ -420,7 +421,14 @@ public String changeSessionId()
     public boolean isRequestedSessionIdValid()
     {
         AbstractSessionManager.RequestedSession requestedSession = getServletRequestInfo().getRequestedSession();
-        return requestedSession != null && requestedSession.sessionId() != null && requestedSession.session() != null;
+        HttpSession session = getSession(false);
+        SessionManager manager = getServletRequestInfo().getSessionManager();
+        return requestedSession != null &&
+            requestedSession.sessionId() != null &&
+            requestedSession.session() != null &&
+            requestedSession.session().isValid() &&
+            manager != null &&
+            manager.getSessionIdManager().getId(requestedSession.sessionId()).equals(session.getId());
     }
 
     @Override
@@ -1049,7 +1057,6 @@ public BufferedReader getReader() throws IOException
                 if (charset == null)
                     charset = StandardCharsets.ISO_8859_1;
             }
-
         }
         catch (IllegalCharsetNameException | UnsupportedCharsetException e)
         {
@@ -1334,7 +1341,9 @@ private static class ServletCookieList extends AbstractList<HttpCookie>
             _cookies = new Cookie[_httpCookies.size()];
             int i = 0;
             for (HttpCookie httpCookie : _httpCookies)
+            {
                 _cookies[i++] = convertCookie(httpCookie, compliance);
+            }
         }
 
         @Override

jetty-ee10/jetty-ee10-servlet/src/test/java/org/eclipse/jetty/ee10/servlet/SessionHandlerTest.java

@@ -434,6 +434,12 @@ public void testRequestedSessionIdFromCookie() throws Exception
             assertEquals(HttpServletResponse.SC_OK, response.getStatus());
             content = response.getContentAsString();
             assertThat(content, containsString("valid=true"));
+
+            //Invalidate it
+            response = client.GET(url + "?action=invalidate");
+            assertEquals(HttpServletResponse.SC_OK, response.getStatus());
+            content = response.getContentAsString();
+            assertThat(content, containsString("valid=false"));
         }
         finally
         {
@@ -504,14 +510,23 @@ public void testRequestedSessionIdFromURL() throws Exception
             assertEquals(HttpServletResponse.SC_OK, response.getStatus());
             content = response.getContentAsString();
             assertThat(content, containsString("createdId="));
-            String sessionId = content.substring(content.indexOf("createdId=") + 10);
+            int i = content.indexOf("createdId=");
+            String sessionId = content.substring(i + 10);
+            i = sessionId.indexOf("\n");
+            sessionId = sessionId.substring(0, i);
             sessionId = sessionId.trim();
 
             //Check the requestedSessionId is valid
             response = client.GET(url + ";" + SessionConfig.__DefaultSessionIdPathParameterName + "=" + sessionId);
             assertEquals(HttpServletResponse.SC_OK, response.getStatus());
             content = response.getContentAsString();
             assertThat(content, containsString("valid=true"));
+
+            //Invalidate it
+            response = client.GET(url + "?action=invalidate;" + SessionConfig.__DefaultSessionIdPathParameterName + "=" + sessionId);
+            assertEquals(HttpServletResponse.SC_OK, response.getStatus());
+            content = response.getContentAsString();
+            assertThat(content, containsString("valid=false"));
         }
         finally
         {
@@ -556,13 +571,18 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) t
         {
             PrintWriter writer = response.getWriter();
             writer.println("requestedId=" + request.getRequestedSessionId());
-            writer.println("valid=" + request.isRequestedSessionIdValid());
 
             if ("create".equals(request.getParameter("action")))
             {
                 HttpSession session = request.getSession(true);
                 writer.println("createdId=" + session.getId());
             }
+            else if ("invalidate".equals(request.getParameter("action")))
+            {
+                HttpSession session = request.getSession(false);
+                session.invalidate();
+            }
+            writer.println("valid=" + request.isRequestedSessionIdValid());
         }
     }
 

jetty-ee9/jetty-ee9-nested/src/test/java/org/eclipse/jetty/ee9/nested/SessionHandlerTest.java

@@ -124,6 +124,7 @@ public void handle(String target, Request baseRequest, HttpServletRequest reques
                             if (session == null)
                                 throw new IllegalStateException("No Session");
                             session.invalidate();
+                            session = null;
                         }
 
                         case "change" ->
@@ -432,6 +433,16 @@ public void testRequestedSessionIdFromCookie() throws Exception
             """.formatted(id));
         response = HttpTester.parseResponse(endPoint.getResponse());
         assertThat(response.getContent(), containsString("requestedSessionIdValid=true"));
+
+        //Invalidate and check requestedSessionId is invalid
+        endPoint.addInput("""
+            GET /invalidate HTTP/1.1
+            Host: localhost
+            Cookie: JSESSIONID=%s
+                        
+            """.formatted(id));
+        response = HttpTester.parseResponse(endPoint.getResponse());
+        assertThat(response.getContent(), containsString("requestedSessionIdValid=false"));
     }
 
     @Test