Jetty 12.1.x 12088 core requested session ID source (#12145)

add isRequestedSessionIdFromCookie/URL for core request

Co-authored-by: Jan Bartel <janb@webtide.com>

documentation/jetty/modules/code/examples/src/main/java/org/eclipse/jetty/docs/programming/server/session/SessionDocs.java

@@ -95,7 +95,7 @@ public class SessionDocs
             org.eclipse.jetty.session.SessionHandler sessionHandler = new org.eclipse.jetty.session.SessionHandler();
             sessionHandler.setSessionCookie("SIMPLE");
             sessionHandler.setUsingCookies(true);
-            sessionHandler.setUsingURLs(false);
+            sessionHandler.setUsingUriParameters(false);
             sessionHandler.setSessionPath("/");
             server.setHandler(sessionHandler);
             sessionHandler.setHandler(new Handler.Abstract()

jetty-core/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdAuthenticator.java

@@ -444,14 +444,12 @@ public class OpenIdAuthenticator extends LoginAuthenticator
                 return AuthenticationState.SEND_FAILURE;
             }
 
-            // TODO: No session API to work this out?
+            String sessionIdFrom = (String)request.getAttribute("org.eclipse.jetty.session.RequestedSession.sessionIdFrom");
-            /*
+            if (sessionIdFrom != null && !sessionIdFrom.startsWith("cookie"))
-            if (request.isRequestedSessionIdFromURL())
             {
-                sendError(req, res, cb, "Session ID must be a cookie to support OpenID authentication");
+                sendError(request, response, cb, "Session ID must be a cookie to support OpenID authentication");
-                return Authentication.SEND_FAILURE;
+                return AuthenticationState.SEND_FAILURE;
             }
-             */
 
             // Handle a request for authentication.
             if (isJSecurityCheck(uri))

jetty-core/jetty-security/src/test/java/org/eclipse/jetty/security/jaas/JAASLdapLoginServiceTest.java

@@ -396,5 +396,4 @@ public class JAASLdapLoginServiceTest extends AbstractLdapTestUnit
             return null;
         }
     }
-
 }

jetty-core/jetty-session/src/main/java/org/eclipse/jetty/session/AbstractSessionManager.java

@@ -40,6 +40,7 @@ import org.eclipse.jetty.server.Request;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.Session;
 import org.eclipse.jetty.server.handler.ContextHandler;
+import org.eclipse.jetty.util.Attributes;
 import org.eclipse.jetty.util.Callback;
 import org.eclipse.jetty.util.StringUtil;
 import org.eclipse.jetty.util.URIUtil;
@@ -981,24 +982,6 @@ public abstract class AbstractSessionManager extends ContainerLifeCycle implemen
         _usingUriParameters = usingUriParameters;
     }
 
-    /**
-     * @deprecated use {@link #isUsingUriParameters()} instead, will be removed in Jetty 12.1.0
-     */
-    @Deprecated(since = "12.0.1", forRemoval = true)
-    public boolean isUsingURLs()
-    {
-        return isUsingUriParameters();
-    }
-
-    /**
-     * @deprecated use {@link #setUsingUriParameters(boolean)} instead, will be removed in Jetty 12.1.0
-     */
-    @Deprecated(since = "12.0.1", forRemoval = true)
-    public void setUsingURLs(boolean usingURLs)
-    {
-        setUsingUriParameters(usingURLs);
-    }
-
     /**
      * Create a new Session, using the requested session id if possible.
      * @param request the inbound request
@@ -1229,7 +1212,7 @@ public abstract class AbstractSessionManager extends ContainerLifeCycle implemen
         {
             //Cookie[] cookies = request.getCookies();
             List<HttpCookie> cookies = Request.getCookies(request);
-            if (cookies != null && cookies.size() > 0)
+            if (!cookies.isEmpty())
             {
                 final String sessionCookie = getSessionCookie();
                 for (HttpCookie cookie : cookies)
@@ -1279,7 +1262,7 @@ public abstract class AbstractSessionManager extends ContainerLifeCycle implemen
         }
 
         if (ids == null)
-            return NO_REQUESTED_SESSION;
+            return RequestedSession.NO_REQUESTED_SESSION;
 
         if (LOG.isDebugEnabled())
             LOG.debug("Got Session IDs {} from cookies {}", ids, cookieIds);
@@ -1319,8 +1302,7 @@ public abstract class AbstractSessionManager extends ContainerLifeCycle implemen
             {
                 //we already have a valid session and now have a duplicate ID for it
                 if (LOG.isDebugEnabled())
-                    LOG.debug(duplicateSession(
+                    LOG.debug(duplicateSession(requestedSessionId, requestedSessionIdFromCookie,
-                        requestedSessionId, true, requestedSessionIdFromCookie,
                         id, false, i < cookieIds));
             }
             else
@@ -1350,26 +1332,27 @@ public abstract class AbstractSessionManager extends ContainerLifeCycle implemen
                     }
 
                     throw new BadMessageException(duplicateSession(
-                        requestedSessionId, true, requestedSessionIdFromCookie,
+                        requestedSessionId, requestedSessionIdFromCookie,
                         id, true, i < cookieIds));
                 }
                 else if (LOG.isDebugEnabled())
                 {
                     LOG.debug(duplicateSession(
-                        requestedSessionId, true, requestedSessionIdFromCookie,
+                        requestedSessionId, requestedSessionIdFromCookie,
                         id, false, i < cookieIds));
                 }
             }
         }
 
-        return new RequestedSession((session != null && session.isValid()) ? session : null, requestedSessionId, requestedSessionIdFromCookie);
+        return new RequestedSession((session != null && session.isValid()) ? session : null, requestedSessionId,
+            requestedSessionIdFromCookie ? RequestedSession.ID_FROM_COOKIE : RequestedSession.ID_FROM_URI_PARAMETER);
     }
 
-    private static String duplicateSession(String id0, boolean valid0, boolean cookie0, String id1, boolean valid1, boolean cookie1)
+    private static String duplicateSession(String id0, boolean fromCookie0, String id1, boolean valid1, boolean fromCookie1)
     {
         return "Duplicate sessions: %s[%s,%s] & %s[%s,%s]".formatted(
-            id0, valid0 ? "valid" : "unknown", cookie0 ? "cookie" : "param",
+            id0, "valid", fromCookie0 ? RequestedSession.ID_FROM_COOKIE : RequestedSession.ID_FROM_URI_PARAMETER,
-            id1, valid1 ? "valid" : "unknown", cookie1 ? "cookie" : "param");
+            id1, valid1 ? "valid" : "unknown", fromCookie1 ? RequestedSession.ID_FROM_COOKIE : RequestedSession.ID_FROM_URI_PARAMETER);
     }
 
     /**
@@ -1379,12 +1362,89 @@ public abstract class AbstractSessionManager extends ContainerLifeCycle implemen
     {
         _sessionCache.shutdown();
     }
-    
-    public record RequestedSession(ManagedSession session, String sessionId, boolean sessionIdFromCookie)
-    {
-    }
 
-    private static final  RequestedSession NO_REQUESTED_SESSION = new RequestedSession(null, null, false);
+    /**
+     * Details of the requested session.
+     * Session implementations should make an instance of this record available as a hidden (not in name set) request
+     * attribute for the name "org.eclipse.jetty.session.AbstractSessionManager$RequestedSession"
+     * @param session The {@link Session} associated with the ID, which may have been invalidated or changed ID since the
+     *                request was received; or {@code null} if no session existed matching the requested ID.
+     * @param sessionId The requested session ID.
+     * @param sessionIdFrom A {@link String} representing the source of the session ID.  Common values include:
+     *                      {@link #ID_FROM_COOKIE} or {@link #ID_FROM_URI_PARAMETER} if there is no ID.
+     */
+    public record RequestedSession(ManagedSession session, String sessionId, String sessionIdFrom)
+    {
+        public static final RequestedSession NO_REQUESTED_SESSION = new RequestedSession(null, null, null);
+        public static final String ATTRIBUTE = "org.eclipse.jetty.session.RequestedSession";
+        public static final String ID_FROM_COOKIE = "cookie";
+        public static final String ID_FROM_URI_PARAMETER = "uri";
+
+        /**
+         * Get the {@code RequestedSession} by attribute
+         * @param request The attributes to query
+         * @return The found {@code RequestedSession} or {@link #NO_REQUESTED_SESSION} if none found. Never {@code null}.
+         */
+        public static RequestedSession byAttribute(Attributes request)
+        {
+            RequestedSession requestedSession = (RequestedSession)request.getAttribute(ATTRIBUTE);
+            return requestedSession == null ? NO_REQUESTED_SESSION : requestedSession;
+        }
+
+        /**
+         * @param name An attribute name
+         * @return {@code true} if the attribute name is applicable to a requested session.
+         * @see #getAttribute(String)
+         */
+        public static boolean isApplicableAttribute(String name)
+        {
+            return name != null && name.startsWith(ATTRIBUTE);
+        }
+
+        /**
+         * Get attributes asssociated with this requested session:
+         * <ul>
+         *     <li>`org.eclipse.jetty.session.RequestedSession` this instance.</li>
+         *     <li>`org.eclipse.jetty.session.RequestedSession.session` the {@link #session()}.</li>
+         *     <li>`org.eclipse.jetty.session.RequestedSession.sessionId` the {@link #sessionId()}.</li>
+         *     <li>`org.eclipse.jetty.session.RequestedSession.sessionIdFrom` the {@link #sessionIdFrom()}.</li>
+         * </ul>
+         * @param name An attributed name
+         * @return the attribute value or {@code null}
+         */
+        public Object getAttribute(String name)
+        {
+            if (name == null || name.length() < ATTRIBUTE.length())
+                return null;
+
+            if (ATTRIBUTE.equals(name))
+                return this;
+
+            if (name.startsWith(ATTRIBUTE) && name.charAt(ATTRIBUTE.length()) == '.')
+            {
+                return switch (name.substring(ATTRIBUTE.length() + 1))
+                {
+                    case "session" -> session();
+                    case "sessionId" -> sessionId();
+                    case "sessionIdFrom" -> sessionIdFrom();
+                    default -> null;
+                };
+            }
+
+            return null;
+        }
+
+        /**
+         * Test if this {@code RequestedSession} ID is from a particular session source
+         * @param source A {@link String} representing the source of the session ID.  Common values include:
+         *               {@link #ID_FROM_COOKIE} or {@link #ID_FROM_URI_PARAMETER} if there is no ID.
+         * @return {@code True} iff this {@code RequestedSession} ID is from the source.
+         */
+        public boolean isSessionIdFrom(String source)
+        {
+            return source != null && source.equals(sessionIdFrom);
+        }
+    }
 
     /**
      * A session cookie is marked as secure IFF any of the following conditions are true:

jetty-core/jetty-session/src/main/java/org/eclipse/jetty/session/SessionHandler.java

@@ -82,10 +82,10 @@ public class SessionHandler extends AbstractSessionManager implements Handler.Si
         return null;
     }
 
-    private class SessionRequest extends Request.Wrapper
+    public class SessionRequest extends Request.Wrapper
     {
         private final AtomicReference<ManagedSession> _session = new AtomicReference<>();
-        private String _requestedSessionId;
+        RequestedSession _requestedSession;
         private Response _response;
 
         public SessionRequest(Request request)
@@ -103,6 +103,14 @@ public class SessionHandler extends AbstractSessionManager implements Handler.Si
             return _session.get();
         }
 
+        @Override
+        public Object getAttribute(String name)
+        {
+            if (RequestedSession.isApplicableAttribute(name))
+                return _requestedSession.getAttribute(name);
+            return super.getAttribute(name);
+        }
+
         @Override
         public Session getSession(boolean create)
         {
@@ -113,7 +121,7 @@ public class SessionHandler extends AbstractSessionManager implements Handler.Si
 
             if (session == null && create)
             {
-                newSession(this, _requestedSessionId, this::setManagedSession);
+                newSession(this, _requestedSession.sessionId(), this::setManagedSession);
                 session = _session.get();
                 HttpCookie cookie = getSessionCookie(session, getConnectionMetaData().isSecure());
                 if (cookie != null)
@@ -126,10 +134,8 @@ public class SessionHandler extends AbstractSessionManager implements Handler.Si
         public boolean process(Handler handler, Response response, Callback callback) throws Exception
         {
             _response = response;
-
+            _requestedSession = resolveRequestedSessionId(this);
-            RequestedSession requestedSession = resolveRequestedSessionId(this);
+            ManagedSession session = _requestedSession.session();
-            _requestedSessionId = requestedSession.sessionId();
-            ManagedSession session = requestedSession.session();
 
             if (session != null)
             {

jetty-core/jetty-session/src/test/java/org/eclipse/jetty/session/SessionHandlerTest.java

@@ -25,6 +25,7 @@ import org.eclipse.jetty.server.Request;
 import org.eclipse.jetty.server.Response;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.Session;
+import org.eclipse.jetty.session.AbstractSessionManager.RequestedSession;
 import org.eclipse.jetty.util.Callback;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
@@ -148,8 +149,21 @@ public class SessionHandlerTest
                     {
                         if (session.isNew())
                             out.append("New\n");
+
+                        RequestedSession requestedSession = RequestedSession.byAttribute(request);
+
+                        out.append("RequestedSessionIdFromCookie: ")
+                            .append(requestedSession.isSessionIdFrom(RequestedSession.ID_FROM_COOKIE))
+                            .append('\n');
+                        out.append("RequestedSessionIdFromURL: ")
+                            .append(requestedSession.isSessionIdFrom(RequestedSession.ID_FROM_URI_PARAMETER))
+                            .append('\n');
                         for (String name : session.getAttributeNameSet())
-                            out.append("Attribute ").append(name).append(" = ").append(session.getAttribute(name)).append('\n');
+                            out.append("Attribute ")
+                                .append(name)
+                                .append(" = ")
+                                .append(session.getAttribute(name))
+                                .append('\n');
                         out.append("URI [")
                             .append(session.encodeURI(request, "/some/path", request.getHeaders().contains(HttpHeader.COOKIE)))
                             .append("]");
@@ -499,6 +513,8 @@ public class SessionHandlerTest
             assertThat(response.getStatus(), equalTo(200));
             content = response.getContent();
             assertThat(content, containsString("Session=" + id.substring(0, id.indexOf(".node0"))));
+            assertThat(content, containsString("RequestedSessionIdFromCookie: true"));
+            assertThat(content, containsString("RequestedSessionIdFromURL: false"));
             assertThat(content, containsString("URI [/some/path]")); // Cookies known to be in use
 
             // Get with parameter
@@ -513,6 +529,8 @@ public class SessionHandlerTest
             assertThat(response.getStatus(), equalTo(200));
             content = response.getContent();
             assertThat(content, containsString("Session=" + id.substring(0, id.indexOf(".node0"))));
+            assertThat(content, containsString("RequestedSessionIdFromCookie: false"));
+            assertThat(content, containsString("RequestedSessionIdFromURL: true"));
             assertThat(content, containsString("URI [/some/path;session_id=%s]".formatted(id))); // Cookies not in use
 
             // Get with both, but param wrong

jetty-core/jetty-util/src/main/java/org/eclipse/jetty/util/Attributes.java

@@ -32,6 +32,10 @@ import org.eclipse.jetty.util.component.Dumpable;
 /**
  * Attributes.
  * Interface commonly used for storing attributes.
+ * <p>
+ * Some attributes may be "hidden" attributes, in that they are only found by an explicit call to
+ * {@link #getAttribute(String)} and they do not otherwise appear in {@link #getAttributeNameSet()}
+ * or {@link #asAttributeMap()}.
  */
 public interface Attributes
 {
@@ -51,7 +55,10 @@ public interface Attributes
     Object setAttribute(String name, Object attribute);
 
     /**
-     * Get an attribute
+     * Get an attribute by name.
+     * Some attributes may be "hidden" attributes, in that they are only found by an explicit call to
+     * {@code getAttribute(String)} and they do not otherwise appear in {@link #getAttributeNameSet()}
+     * or {@link #asAttributeMap()}.
      * @param name the attribute to get
      * @return the value of the attribute, or {@code null} if no such attribute exists
      */

jetty-ee10/jetty-ee10-servlet/src/main/java/org/eclipse/jetty/ee10/servlet/ServletApiRequest.java

@@ -83,7 +83,7 @@ import org.eclipse.jetty.server.HttpCookieUtils;
 import org.eclipse.jetty.server.Request;
 import org.eclipse.jetty.server.Response;
 import org.eclipse.jetty.server.Session;
-import org.eclipse.jetty.session.AbstractSessionManager;
+import org.eclipse.jetty.session.AbstractSessionManager.RequestedSession;
 import org.eclipse.jetty.session.ManagedSession;
 import org.eclipse.jetty.session.SessionManager;
 import org.eclipse.jetty.util.Callback;
@@ -492,7 +492,7 @@ public class ServletApiRequest implements HttpServletRequest
     @Override
     public String getRequestedSessionId()
     {
-        AbstractSessionManager.RequestedSession requestedSession = getServletRequestInfo().getRequestedSession();
+        RequestedSession requestedSession = getServletRequestInfo().getRequestedSession();
         return requestedSession == null ? null : requestedSession.sessionId();
     }
 
@@ -551,7 +551,7 @@ public class ServletApiRequest implements HttpServletRequest
     @Override
     public boolean isRequestedSessionIdValid()
     {
-        AbstractSessionManager.RequestedSession requestedSession = getServletRequestInfo().getRequestedSession();
+        RequestedSession requestedSession = getServletRequestInfo().getRequestedSession();
         HttpSession session = getSession(false);
         SessionManager manager = getServletRequestInfo().getSessionManager();
         return requestedSession != null &&
@@ -565,15 +565,15 @@ public class ServletApiRequest implements HttpServletRequest
     @Override
     public boolean isRequestedSessionIdFromCookie()
     {
-        AbstractSessionManager.RequestedSession requestedSession = getServletRequestInfo().getRequestedSession();
+        RequestedSession requestedSession = getServletRequestInfo().getRequestedSession();
-        return requestedSession != null && requestedSession.sessionId() != null && requestedSession.sessionIdFromCookie();
+        return requestedSession != null && requestedSession.sessionId() != null && requestedSession.isSessionIdFrom(RequestedSession.ID_FROM_COOKIE);
     }
 
     @Override
     public boolean isRequestedSessionIdFromURL()
     {
-        AbstractSessionManager.RequestedSession requestedSession = getServletRequestInfo().getRequestedSession();
+        RequestedSession requestedSession = getServletRequestInfo().getRequestedSession();
-        return requestedSession != null && requestedSession.sessionId() != null && !requestedSession.sessionIdFromCookie();
+        return requestedSession != null && requestedSession.sessionId() != null && requestedSession.isSessionIdFrom(RequestedSession.ID_FROM_URI_PARAMETER);
     }
 
     @Override

jetty-ee10/jetty-ee10-servlet/src/main/java/org/eclipse/jetty/ee10/servlet/ServletContextRequest.java

@@ -330,6 +330,8 @@ public class ServletContextRequest extends ContextRequest implements ServletCont
     @Override
     public Object getAttribute(String name)
     {
+        if (AbstractSessionManager.RequestedSession.isApplicableAttribute(name))
+            return _requestedSession.getAttribute(name);
         return _attributes.getAttribute(name);
     }
 

jetty-ee10/jetty-ee10-servlet/src/main/java/org/eclipse/jetty/ee10/servlet/SessionHandler.java

@@ -708,27 +708,33 @@ public class SessionHandler extends AbstractSessionManager implements Handler.Si
     private class NonServletSessionRequest extends Request.Wrapper
     {
         private final Response _response;
-        private RequestedSession _session;
+        private RequestedSession _requestedSession;
 
         public NonServletSessionRequest(Request request, Response response, RequestedSession requestedSession)
         {
             super(request);
             _response = response;
-            _session = requestedSession;
+            _requestedSession = requestedSession;
+        }
+
+        @Override
+        public Object getAttribute(String name)
+        {
+            if (AbstractSessionManager.RequestedSession.isApplicableAttribute(name))
+                return _requestedSession.getAttribute(name);
+            return super.getAttribute(name);
         }
 
         @Override
         public Session getSession(boolean create)
         {
-            ManagedSession session = _session.session();
+            ManagedSession session = _requestedSession.session();
 
             if (session != null || !create)
                 return session;
 
-            newSession(getWrapped(), _session.sessionId(), ms ->
+            newSession(getWrapped(), _requestedSession.sessionId(), ms -> _requestedSession = new RequestedSession(ms, _requestedSession.sessionId(), _requestedSession.sessionIdFrom()));
-                _session = new RequestedSession(ms, _session.sessionId(), true));
+            session = _requestedSession.session();
-
-            session = _session.session();
             if (session == null)
                 throw new IllegalStateException("Create session failed");
 
@@ -740,7 +746,7 @@ public class SessionHandler extends AbstractSessionManager implements Handler.Si
 
         ManagedSession getManagedSession()
         {
-            return _session.session();
+            return _requestedSession.session();
         }
     }
 }

jetty-ee11/jetty-ee11-servlet/src/main/java/org/eclipse/jetty/ee11/servlet/ServletApiRequest.java

@@ -83,7 +83,7 @@ import org.eclipse.jetty.server.HttpCookieUtils;
 import org.eclipse.jetty.server.Request;
 import org.eclipse.jetty.server.Response;
 import org.eclipse.jetty.server.Session;
-import org.eclipse.jetty.session.AbstractSessionManager;
+import org.eclipse.jetty.session.AbstractSessionManager.RequestedSession;
 import org.eclipse.jetty.session.ManagedSession;
 import org.eclipse.jetty.session.SessionManager;
 import org.eclipse.jetty.util.Callback;
@@ -492,7 +492,7 @@ public class ServletApiRequest implements HttpServletRequest
     @Override
     public String getRequestedSessionId()
     {
-        AbstractSessionManager.RequestedSession requestedSession = getServletRequestInfo().getRequestedSession();
+        RequestedSession requestedSession = getServletRequestInfo().getRequestedSession();
         return requestedSession == null ? null : requestedSession.sessionId();
     }
 
@@ -551,7 +551,7 @@ public class ServletApiRequest implements HttpServletRequest
     @Override
     public boolean isRequestedSessionIdValid()
     {
-        AbstractSessionManager.RequestedSession requestedSession = getServletRequestInfo().getRequestedSession();
+        RequestedSession requestedSession = getServletRequestInfo().getRequestedSession();
         HttpSession session = getSession(false);
         SessionManager manager = getServletRequestInfo().getSessionManager();
         return requestedSession != null &&
@@ -565,15 +565,15 @@ public class ServletApiRequest implements HttpServletRequest
     @Override
     public boolean isRequestedSessionIdFromCookie()
     {
-        AbstractSessionManager.RequestedSession requestedSession = getServletRequestInfo().getRequestedSession();
+        RequestedSession requestedSession = getServletRequestInfo().getRequestedSession();
-        return requestedSession != null && requestedSession.sessionId() != null && requestedSession.sessionIdFromCookie();
+        return requestedSession != null && requestedSession.sessionId() != null && requestedSession.isSessionIdFrom(RequestedSession.ID_FROM_COOKIE);
     }
 
     @Override
     public boolean isRequestedSessionIdFromURL()
     {
-        AbstractSessionManager.RequestedSession requestedSession = getServletRequestInfo().getRequestedSession();
+        RequestedSession requestedSession = getServletRequestInfo().getRequestedSession();
-        return requestedSession != null && requestedSession.sessionId() != null && !requestedSession.sessionIdFromCookie();
+        return requestedSession != null && requestedSession.sessionId() != null && requestedSession.isSessionIdFrom(RequestedSession.ID_FROM_URI_PARAMETER);
     }
 
     @Override

jetty-ee11/jetty-ee11-servlet/src/main/java/org/eclipse/jetty/ee11/servlet/ServletContextRequest.java

@@ -330,6 +330,8 @@ public class ServletContextRequest extends ContextRequest implements ServletCont
     @Override
     public Object getAttribute(String name)
     {
+        if (AbstractSessionManager.RequestedSession.class.getName().equals(name))
+            return _requestedSession;
         return _attributes.getAttribute(name);
     }
 

jetty-ee11/jetty-ee11-servlet/src/main/java/org/eclipse/jetty/ee11/servlet/SessionHandler.java

@@ -752,27 +752,33 @@ public class SessionHandler extends AbstractSessionManager implements Handler.Si
     private class NonServletSessionRequest extends Request.Wrapper
     {
         private final Response _response;
-        private RequestedSession _session;
+        private RequestedSession _requestedSession;
 
         public NonServletSessionRequest(Request request, Response response, RequestedSession requestedSession)
         {
             super(request);
             _response = response;
-            _session = requestedSession;
+            _requestedSession = requestedSession;
+        }
+
+        @Override
+        public Object getAttribute(String name)
+        {
+            if (AbstractSessionManager.RequestedSession.isApplicableAttribute(name))
+                return _requestedSession.getAttribute(name);
+            return super.getAttribute(name);
         }
 
         @Override
         public Session getSession(boolean create)
         {
-            ManagedSession session = _session.session();
+            ManagedSession session = _requestedSession.session();
 
             if (session != null || !create)
                 return session;
 
-            newSession(getWrapped(), _session.sessionId(), ms ->
+            newSession(getWrapped(), _requestedSession.sessionId(), ms -> _requestedSession = new RequestedSession(ms, _requestedSession.sessionId(), _requestedSession.sessionIdFrom()));
-                _session = new RequestedSession(ms, _session.sessionId(), true));
+            session = _requestedSession.session();
-
-            session = _session.session();
             if (session == null)
                 throw new IllegalStateException("Create session failed");
 
@@ -784,7 +790,7 @@ public class SessionHandler extends AbstractSessionManager implements Handler.Si
 
         ManagedSession getManagedSession()
         {
-            return _session.session();
+            return _requestedSession.session();
         }
     }
 }

jetty-ee9/jetty-ee9-nested/src/main/java/org/eclipse/jetty/ee9/nested/ContextHandler.java

@@ -2466,7 +2466,7 @@ public class ContextHandler extends ScopedHandler implements Attributes, Supplie
         private ManagedSession _managedSession;
         private List<ManagedSession> _managedSessions;
 
-        AbstractSessionManager.RequestedSession _requestedSession;
+        AbstractSessionManager.RequestedSession _requestedSession = AbstractSessionManager.RequestedSession.NO_REQUESTED_SESSION;
 
         protected CoreContextRequest(org.eclipse.jetty.server.Request wrapped,
                                      ScopedContext context,
@@ -2566,7 +2566,15 @@ public class ContextHandler extends ScopedHandler implements Attributes, Supplie
          */
         public void setRequestedSession(AbstractSessionManager.RequestedSession requestedSession)
         {
-            _requestedSession = requestedSession;
+            _requestedSession = requestedSession == null ? AbstractSessionManager.RequestedSession.NO_REQUESTED_SESSION : requestedSession;
+        }
+
+        @Override
+        public Object getAttribute(String name)
+        {
+            if (AbstractSessionManager.RequestedSession.class.getName().equals(name))
+                return _requestedSession;
+            return super.getAttribute(name);
         }
 
         /**
@@ -2653,7 +2661,7 @@ public class ContextHandler extends ScopedHandler implements Attributes, Supplie
             if (_sessionManager == null)
                 throw new IllegalStateException("No SessionManager");
 
-            _sessionManager.newSession(this, _requestedSession == null ? null : _requestedSession.sessionId(), this::setManagedSession);
+            _sessionManager.newSession(this, _requestedSession.sessionId(), this::setManagedSession);
 
             if (_managedSession == null)
                 throw new IllegalStateException("Create session failed");

jetty-ee9/jetty-ee9-nested/src/main/java/org/eclipse/jetty/ee9/nested/Request.java

@@ -85,7 +85,7 @@ import org.eclipse.jetty.server.FormFields;
 import org.eclipse.jetty.server.HttpCookieUtils;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.Session;
-import org.eclipse.jetty.session.AbstractSessionManager;
+import org.eclipse.jetty.session.AbstractSessionManager.RequestedSession;
 import org.eclipse.jetty.session.ManagedSession;
 import org.eclipse.jetty.session.SessionManager;
 import org.eclipse.jetty.util.Attributes;
@@ -1245,7 +1245,7 @@ public class Request implements HttpServletRequest
     @Override
     public String getRequestedSessionId()
     {
-        AbstractSessionManager.RequestedSession requestedSession = _coreRequest.getRequestedSession();
+        RequestedSession requestedSession = _coreRequest.getRequestedSession();
         return requestedSession == null ? null : requestedSession.sessionId();
     }
 
@@ -1522,8 +1522,7 @@ public class Request implements HttpServletRequest
     @Override
     public boolean isRequestedSessionIdFromCookie()
     {
-        AbstractSessionManager.RequestedSession requestedSession = _coreRequest.getRequestedSession();
+        return _coreRequest.getRequestedSession().isSessionIdFrom(RequestedSession.ID_FROM_COOKIE);
-        return requestedSession != null && requestedSession.sessionId() != null && requestedSession.sessionIdFromCookie();
     }
 
     @Override
@@ -1536,14 +1535,13 @@ public class Request implements HttpServletRequest
     @Override
     public boolean isRequestedSessionIdFromURL()
     {
-        AbstractSessionManager.RequestedSession requestedSession = _coreRequest.getRequestedSession();
+        return _coreRequest.getRequestedSession().isSessionIdFrom(RequestedSession.ID_FROM_URI_PARAMETER);
-        return requestedSession != null && requestedSession.sessionId() != null && !requestedSession.sessionIdFromCookie();
     }
 
     @Override
     public boolean isRequestedSessionIdValid()
     {
-        AbstractSessionManager.RequestedSession requestedSession = _coreRequest.getRequestedSession();
+        RequestedSession requestedSession = _coreRequest.getRequestedSession();
         SessionManager sessionManager = _coreRequest.getSessionManager();
         ManagedSession managedSession = _coreRequest.getManagedSession();
         return requestedSession != null &&

jetty-ee9/jetty-ee9-nested/src/main/java/org/eclipse/jetty/ee9/nested/SessionHandler.java

@@ -556,7 +556,7 @@ public class SessionHandler extends ScopedHandler implements SessionConfig.Mutab
                             currentSession = currentRequestedSession.session();
                         }
                         else
-                            currentRequestedSession = new AbstractSessionManager.RequestedSession(currentSession, currentSession.getId(), false /*TODO!!!*/);
+                            currentRequestedSession = new AbstractSessionManager.RequestedSession(currentSession, currentSession.getId(), null /*TODO!!!*/);
 
                         coreRequest.setManagedSession(currentSession);
                         coreRequest.setRequestedSession(currentRequestedSession);

jetty-ee9/jetty-ee9-nested/src/test/java/org/eclipse/jetty/ee9/nested/ResponseTest.java

@@ -67,7 +67,7 @@ import org.eclipse.jetty.server.NetworkConnector;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.Session;
 import org.eclipse.jetty.server.TunnelSupport;
-import org.eclipse.jetty.session.AbstractSessionManager;
+import org.eclipse.jetty.session.AbstractSessionManager.RequestedSession;
 import org.eclipse.jetty.session.DefaultSessionCache;
 import org.eclipse.jetty.session.DefaultSessionIdManager;
 import org.eclipse.jetty.session.ManagedSession;
@@ -1613,7 +1613,7 @@ public class ResponseTest
 
         ContextHandler.CoreContextRequest coreRequest = response.getHttpChannel().getCoreRequest();
         coreRequest.setSessionManager(sessionHandler.getSessionManager());
-        coreRequest.setRequestedSession(new AbstractSessionManager.RequestedSession(null, "12345", false));
+        coreRequest.setRequestedSession(new RequestedSession(null, "12345", RequestedSession.ID_FROM_URI_PARAMETER));
         assertNotNull(request.getSession(true));
         assertThat(request.getSession(false).getId(), is("12345"));
 
@@ -1724,7 +1724,7 @@ public class ResponseTest
                 ContextHandler.CoreContextRequest coreRequest = response.getHttpChannel().getCoreRequest();
                 coreRequest.setSessionManager(sessionHandler.getSessionManager());
                 ManagedSession session = sessionHandler.getSessionManager().getManagedSession("12345");
-                coreRequest.setRequestedSession(new AbstractSessionManager.RequestedSession(session, "12345", cookie));
+                coreRequest.setRequestedSession(new RequestedSession(session, "12345", cookie ? RequestedSession.ID_FROM_COOKIE : RequestedSession.ID_FROM_URI_PARAMETER));
                 if (session == null)
                     request.getSession(true);
 
@@ -1793,7 +1793,7 @@ public class ResponseTest
                     request.setContext(_context._apiContext, "/info");
 
                     ContextHandler.CoreContextRequest coreRequest = response.getHttpChannel().getCoreRequest();
-                    coreRequest.setRequestedSession(new AbstractSessionManager.RequestedSession(null, "12345", i > 2));
+                    coreRequest.setRequestedSession(new RequestedSession(null, "12345", i > 2 ? RequestedSession.ID_FROM_COOKIE : RequestedSession.ID_FROM_URI_PARAMETER));
                     SessionHandler handler = new SessionHandler();
 
                     NullSessionDataStore dataStore = new NullSessionDataStore();