Details
-
Bug
-
Resolution: Timed out
-
Low
-
None
-
5.0.1
-
None
-
5
-
Severity 3 - Minor
-
-
Description
com.atlassian.jira.security.login.SSOSeraphAuthenticator.logoutUser() calls request.getSession() to remove an attribute from the session. However, request.getSession() creates a session if none is attached to the request. This results in sessions being created unnecessarily. A better approach would be to use request.getSession(false) and return if there is no session.
The impact is described in JSTDEV-1485. I'm marking this as minor because there are general workarounds afoot (JRA-27406 to rapidly expire one-request sessions, and CWD-2784 to avoid calling logout on the concrete Authenticator if there is no session). However, it would be worth fixing the root cause.