Invalidating any existing session model dating 9 or 10
Filter Proxy Servlet.dispatch(Filter Proxy Servlet.java:88) at ws.webcontainer.servlet.Filter Proxy Servlet.service(Filter Proxy Servlet.java:62) at ws.webcontainer.servlet.Http Inbound Link.handle New Request(Http Inbound Link.java:511) at channel.Http Inbound Link.process Request(Http Inbound Link.java:305) at channel.Once a user logs in, they are presented with one of these forms (which use CSRF).The issue is that if this box is presented after the authentication, the CSRF tokens are invalidated.Default Extension Processor.handle Request(Default Extension Processor.java:759) at ws.webcontainer.webapp.
Even more confusing is, session is existing, but the value is null. If create is false and the request has no valid Http Session, this method returns null.Servlet Wrapper.handle Request(Servlet Wrapper.java:934) at ws.webcontainer.servlet. Servlet Wrapper.handle Request(Servlet Wrapper.java:502) at ws.webcontainer.servlet. Servlet Wrapper Impl.handle Request(Servlet Wrapper Impl.java:179) at wsspi.webcontainer.servlet.Generic Servlet Wrapper.handle Request(Generic Servlet Wrapper.java:121) at webcontainerext.However if you really don't want to do that, You said: Thanks to @Mark Fox for pointing me to this CWE - although I knew it was through design, I'd hoped there would be a way for me to avoid going down the route I ended up.This also works fine, i.e it redirects me to if the session isn't created.