You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2013/09/05 16:53:22 UTC

[Bug 55521] Race Condition in HttpSession#invalidate() / HttpServletRequest#getSession(boolean)

https://issues.apache.org/bugzilla/show_bug.cgi?id=55521

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
I've taken a look at this and there are some things we can do in Tomcat to
ensure that a call to invalidate() doesn't return until the session has been
invalidated.

However, there may still be an issue that needs fixing in Spring Security.
Looking at SessionFixationProtectionStrategy.applySessionFixation() it is
possible (although even less likely than the issue you have seen) for
concurrent requests to generate a series of invalidate / create / invalidate /
create etc. events. It is pretty unlikely but is possible. Since I work for
Pivotal, I'll ping one of the developers.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org