We modified Vaadin 7 by applying a backport of vaadin/framework#11859 to it.
The patch is as follows:
From 49cdbe8fba2b0a4c830cbe4221c1d2459abfab14 Mon Sep 17 00:00:00 2001
From: Felix Fontein
Date: Mon, 6 Jan 2020 15:34:06 +0100
Subject: [PATCH] Use 403 Forbidden instead of 410 Gone when session expired.
Change-Id: Ieb862b5cb34ae427472415ab33a5696d7a7a27ed
---
.../communication/DefaultConnectionStateHandler.java | 2 +-
.../src/main/java/com/vaadin/server/VaadinService.java | 9 ++++++++-
.../vaadin/server/communication/HeartbeatHandler.java | 8 +++++++-
3 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/client/src/main/java/com/vaadin/client/communication/DefaultConnectionStateHandler.java b/client/src/main/java/com/vaadin/client/communication/DefaultConnectionStateHandler.java
index 071ea7b0f6..6fb53d2190 100644
--- a/client/src/main/java/com/vaadin/client/communication/DefaultConnectionStateHandler.java
+++ b/client/src/main/java/com/vaadin/client/communication/DefaultConnectionStateHandler.java
@@ -154,7 +154,7 @@ public class DefaultConnectionStateHandler implements ConnectionStateHandler {
int statusCode = response.getStatusCode();
getLogger().warning("Heartbeat request returned " + statusCode);
- if (response.getStatusCode() == Response.SC_GONE) {
+ if (response.getStatusCode() == Response.SC_FORBIDDEN) {
// Session expired
getConnection().showSessionExpiredError(null);
stopApplication();
diff --git a/server/src/main/java/com/vaadin/server/VaadinService.java b/server/src/main/java/com/vaadin/server/VaadinService.java
index 5107ff1501..f03eaa32ac 100644
--- a/server/src/main/java/com/vaadin/server/VaadinService.java
+++ b/server/src/main/java/com/vaadin/server/VaadinService.java
@@ -1565,7 +1565,14 @@ public abstract class VaadinService implements Serializable {
* endless loop. This can at least happen if refreshing a
* resource when the session has expired.
*/
- response.sendError(HttpServletResponse.SC_GONE,
+ // Ensure that the browser does not cache expired responses.
+ // iOS 6 Safari requires this (#10370)
+ response.setHeader("Cache-Control", "no-cache");
+ // If Content-Type is not set, browsers assume text/html and may
+ // complain about the empty response body (#12182)
+ response.setHeader("Content-Type", "text/plain");
+
+ response.sendError(HttpServletResponse.SC_FORBIDDEN,
"Session expired");
}
} catch (IOException e) {
diff --git a/server/src/main/java/com/vaadin/server/communication/HeartbeatHandler.java b/server/src/main/java/com/vaadin/server/communication/HeartbeatHandler.java
index ed2faad05a..6fc9d8807c 100644
--- a/server/src/main/java/com/vaadin/server/communication/HeartbeatHandler.java
+++ b/server/src/main/java/com/vaadin/server/communication/HeartbeatHandler.java
@@ -88,8 +88,14 @@ public class HeartbeatHandler extends SynchronizedRequestHandler
if (!ServletPortletHelper.isHeartbeatRequest(request)) {
return false;
}
+ // Ensure that the browser does not cache expired heartbeat responses.
+ // iOS 6 Safari requires this (#10370)
+ response.setHeader("Cache-Control", "no-cache");
+ // If Content-Type is not set, browsers assume text/html and may
+ // complain about the empty response body (#12182)
+ response.setHeader("Content-Type", "text/plain");
- response.sendError(HttpServletResponse.SC_GONE, "Session expired");
+ response.sendError(HttpServletResponse.SC_FORBIDDEN, "Session expired");
return true;
}
}
--
2.17.1