SessionRotate and CSRFGenerateToken throw exception with J2EE sessions enabled (not consistent with ACF)


With J2EE sessions enabled, calls to SessionRotate and CSRFGenerateToken cause exceptions to be thrown. In a sense, this is reasonable, since the 'SessionRotate' functionality doesn't work correctly in that environment - but this raises two separate problems:

1) this is not consistent with ACF behavior - ACF doesn't complain, and a usable value is returned by CSRFGenerateToken()

2) There isn't an obvious way to know if J2EE sessions are enabled (i.e. when I shouldn't be calling these methods) - am I missing something?

For now... it seems that we have to work around this problem by building our own equivalent to CSRFGenerateToken and use it if we catch an exception from the 'real' call

While it is true that the full benefit of SessionRotate is subverted by the J2EE session mechanism, use of a separate CSRF token is still worthwhile. We shouldn't have to build our own.


Linux (CentOS 7), Java 8 and Java 11


Pothys - MitrahSoft
April 17, 2020, 8:24 AM

If you OK with that, shall I close the ticket?

Pothys - MitrahSoft
May 27, 2020, 10:31 AM

, Did you see my above comment? If no, please check it and report here back.

Pothys - MitrahSoft
October 6, 2020, 2:27 PM

, From the fixed version this work means, shall I close this ticket?

Tim Parker
October 6, 2020, 5:38 PM

go ahead and close it

Pothys - MitrahSoft
October 7, 2020, 7:27 AM

As per the reporter said I close this ticket



Pothys - MitrahSoft


Tim Parker




Fix versions

Affects versions