Issue #1222

2017-01-07 15:05:06 +11:00 · 2017-01-07 15:05:06 +11:00 · 3d35484dc7
parent 374be8d318
commit 3d35484dc7
1 changed files with 8 additions and 4 deletions
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java
@ -80,16 +80,20 @@ public class SessionAuthentication extends AbstractUserAuthentication implements
        if (_session!=null && _session.getAttribute(__J_AUTHENTICATED)!=null)
            _session.removeAttribute(__J_AUTHENTICATED);

-        doLogout();
+        doLogout(null);
    }

-    private void doLogout()
+    private void doLogout(HttpSessionBindingEvent event)
    {
        SecurityHandler security=SecurityHandler.getCurrentSecurityHandler();
        if (security!=null)
            security.logout(this);
-        if (_session!=null)
+        //if we were called by an unbind event, it means the session is invalid
+        //so don't try and remove the attribute
+        if (_session!=null && event == null)
+        {
            _session.removeAttribute(Session.SESSION_CREATED_SECURE);
+        }
    }

    @Override
@ -125,7 +129,7 @@ public class SessionAuthentication extends AbstractUserAuthentication implements
    @Override
    public void valueUnbound(HttpSessionBindingEvent event)
    {
-        doLogout();
+        doLogout(event);
    }

 }