[11.1.x] PaxWebSessionIdManager.getSessionIdSuffix misbehavior

[grgrzybek]

Discussed in #2108

^{Originally posted by nicolasbron October 6, 2025}
Hi,

I have a question in regards to the session id suffix. Currently I have a bundle that is provides a Web-Context: /sdk.
After successful authentication and redirect a newly created HttpSession the id is equal to:
node0i7461jjyx7h8c5d1nffevls85~sdk##sdk
However the request session id (saved in cookie is equal to):
node0i7461jjyx7h8c5d1nffevls85.node0
And the ManagedSession is equal to:
node0i7461jjyx7h8c5d1nffevls85~sdk##sdk.node0

Unfortunately due to this ~sdk##sdk suffix the method:
request.isRequestedSessionIdValid always return false.
It's due to the fact that:

    public boolean isRequestedSessionIdValid() {
        AbstractSessionManager.RequestedSession requestedSession = this.getServletRequestInfo().getRequestedSession();
        HttpSession session = this.getSession(false);
        SessionManager manager = this.getServletRequestInfo().getSessionManager();
        return requestedSession != null && requestedSession.sessionId() != null && requestedSession.session() != null && requestedSession.session().isValid() && manager != null && manager.getSessionIdManager().getId(requestedSession.sessionId()).equals(session.getId());
    }

The requestedSession.session() is null. When I remove the "~sdk##sdk" suffix everything is working as expected. Am I missing something?

[grgrzybek]

I've just checked that this problem is for pax-web-jetty only.

[grgrzybek]

In full integration tests, pax-web-tomcat works fine, but pax-web-jetty and pax-web-undertow fail.

[grgrzybek]

Fixed Jetty part, working on Undertow failures.