You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2011/09/14 19:11:40 UTC
DO NOT REPLY [Bug 51812] New: Tomcat access logging "tickles"
session causing session to never time out
https://issues.apache.org/bugzilla/show_bug.cgi?id=51812
Bug #: 51812
Summary: Tomcat access logging "tickles" session causing
session to never time out
Product: Tomcat 7
Version: 7.0.14
Platform: PC
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: danlee5002@gmail.com
Classification: Unclassified
I have created a web app (servlet application) that does asynchronous hits from
the browser to periodically fetch some status information and update the page.
These asynchronous hits are directed to a dedicated servlet in the same webapp
that takes great pains to never touch the session so that the session access
time is not modified. The idea is that these asynchronous hits don't count as
real hits else the session would never idle time out.
This worked fine on Tomcat-6.0.14. Upgrading to Tomcat-7.0.14 causes a problem
in that these asynchronous hits are updating the session access time.
I have traced the problem down to
org.apache.catalina.valves.AccessLogValve.java. When it is doing its logging,
it is trying to fetch the "principal" object from the session and thus changing
the session last access time. This does not seem to be legitimate.
Here is the relevant code:
/**
* Enforce the security restrictions in the web application deployment
* descriptor of our associated Context.
*
* @param request Request to be processed
* @param response Response to be processed
*
* @exception IOException if an input/output error occurs
* @exception ServletException if thrown by a processing element
*/
@Override
public void invoke(Request request, Response response)
throws IOException, ServletException {
if (log.isDebugEnabled())
log.debug("Security checking request " +
request.getMethod() + " " + request.getRequestURI());
LoginConfig config = this.context.getLoginConfig();
// Have we got a cached authenticated Principal to record?
if (cache) {
Principal principal = request.getUserPrincipal();
if (principal == null) {
Session session = request.getSessionInternal(false); <- Session
Ticked Here
if (session != null) {
principal = session.getPrincipal();
if (principal != null) {
if (log.isDebugEnabled())
log.debug("We have cached auth type " +
session.getAuthType() +
" for principal " +
session.getPrincipal());
request.setAuthType(session.getAuthType());
request.setUserPrincipal(principal);
}
}
}
Changing the source code so that cache=false, solves the problem and the
session access time is not affected by these asynchronous hits. I cannot find
a way to set cache=false other than changing source. Adding cache="false" to
the Valve tag in server.xml seems to have no effect.
It would be nice if this parameter were controllable or if the code did not
have this characteristic. Logging should not effect the user's session.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51812] Tomcat access logging "tickles" session
causing session to never time out
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51812
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
OS/Version| |All
--- Comment #1 from Mark Thomas <ma...@apache.org> 2011-09-21 12:32:58 UTC ---
This report does not make any sense. The code quoted is from AuthenticatorBase
which has nothing to do with the AccessLogValve.
Secondly, I can't see any code path from the quoted code that would trigger an
update to the sessions last accessed time. Neither can I see any such code in
the AccessLogValve.
Finally, session expiration is tested by the Servlet TCK which every release of
Tomcat 7.0.x has passed.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51812] Tomcat access logging "tickles" session
causing session to never time out
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51812
--- Comment #2 from Konstantin Kolinko <kn...@gmail.com> 2011-09-21 18:13:02 UTC ---
(In reply to comment #0)
> I cannot find
> a way to set cache=false other than changing source. Adding cache="false" to
> the Valve tag in server.xml seems to have no effect.
Authenticators can be configured with <Valve> tag, and "cache" is a valid and
documented parameter there. E.g.,
http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Basic_Authenticator_Valve
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org