SessionRotate and CSRFGenerateToken throw exception with J2EE sessions enabled (not consistent with ACF)

Description

With J2EE sessions enabled, calls to SessionRotate and CSRFGenerateToken cause exceptions to be thrown. In a sense, this is reasonable, since the 'SessionRotate' functionality doesn't work correctly in that environment - but this raises two separate problems:

1) this is not consistent with ACF behavior - ACF doesn't complain, and a usable value is returned by CSRFGenerateToken()

2) There isn't an obvious way to know if J2EE sessions are enabled (i.e. when I shouldn't be calling these methods) - am I missing something?

For now... it seems that we have to work around this problem by building our own equivalent to CSRFGenerateToken and use it if we catch an exception from the 'real' call

While it is true that the full benefit of SessionRotate is subverted by the J2EE session mechanism, use of a separate CSRF token is still worthwhile. We shouldn't have to build our own.

Environment

Linux (CentOS 7), Java 8 and Java 11

Assignee

Pothys - MitrahSoft

Reporter

Tim Parker

Priority

New

Labels

Fix versions

None

Affects versions

Configure