Infinite loop when obtaining the session

[smellsblue]

I have discovered an infinite loop possibility in JRuby::Rack::Session::SessionStore:

jruby-rack/src/main/ruby/jruby/rack/session_store.rb

Lines 85 to 101 in 5854db8

	def get_servlet_session(env, create = false)
	servlet_session = env[ENV_SERVLET_SESSION_KEY]
	invalid = false
	begin
	if servlet_session.nil? ||
	( create && ( invalid || servlet_session.getCreationTime.nil? ) )
	unless servlet_request = env['java.servlet_request']
	raise "JavaServletStore expects a servlet request at env['java.servlet_request']"
	end
	servlet_session = servlet_request.getSession(create)
	env[ENV_SERVLET_SESSION_KEY] = servlet_session
	end
	rescue java.lang.IllegalStateException # cached session invalidated
	invalid = true; retry # servlet_session.getCreationTime failed ...
	end
	servlet_session
	end

In the Java EE documentation for HttpServletRequest#getSession(boolean create), it says:

If the container is using cookies to maintain session integrity and is asked to create a new session when the response is committed, an IllegalStateException is thrown.

We have found ourselves in this situation, and so in the get_servlet_session method linked above, line 94 calls getSession(true) which ends up throwing an IllegalStateException. This gets caught on line 97, and then retried on line 98. Nothing changes, and so this loop will continue forever.

I haven't investigated exactly why our response is committed at the time this gets called (I suspect it is a redirect happening in a Tomcat request filter), so it might be that we are doing something silly that ends up causing this infinite loop, but it still seems like this code should not be possible to enter in an infinite loop.

I have fixed the issue in our system with a monkeypatch and verified that the infinite loop isn't happening anymore, so I will submit a PR with how I solved it.