Session Expiration race condition

[smm <st...@hcs.us.com>]

Hello,

I've uncovered in our implementation and deployment of Shiro a race
condition that can (and does) occur when a Session Expires.  Here are the
steps that have to occur for us to "lose" the race:

1) User logs in which creates a session.  Session is cached and persisted
(to a MySQL database).
2) User does nothing right up until the session is about the expire.
3) User requests a JSP just before his session is about to expire.
4) Servlet gets the Subject.
5) ExecutorServiceSessionValidationScheduler expires the session and deletes
it from the cache and database.
6) The Servlet tries to extract the Subject's Principal, but the session
doesn't exist so it throws: javax.servlet.ServletException:
org.apache.shiro.session.UnknownSessionException: There is no session with
id [190fdf2a-daf7-41d2-aa3c-4eb2da9b33f2].
7) The user gets a 500 error (yikes!).

So my question is what normally should prevent this problem?  We have a
custom SessionDAO, so I'm assuming the bug is in our implementation
somewhere, but it wasn't obvious to me what is the best way to handle a
Session being invalidated when some other thread has a handle to the
Session.

I can, of course, post code, but I'm not really sure which code to post. 
Oh, we're using Shiro 1.2.2.

Thanks!

--Stephen



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Session-Expiration-race-condition-tp7581181.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Session Expiration race condition

[smm <st...@hcs.us.com>]

I've decided that my above test doesn't make any sense, because the Session
will be "touched" (lastAccessTime) updated before I get the Subject and the
Subject's Principal, so with a reasonable timeout, it should still be fine. 
Seems unreasonable that the Servlet would be hung for 30 minutes (the
default Session timeout).



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Session-Expiration-race-condition-tp7581181p7581195.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Session Expiration race condition

[Lenny Primak <lp...@hope.nyc.ny.us>]

I am using Shiro (with native sessions) with Servlets as well and do not have this issue.
I would think that Shiro would create a new session if a current session is not found,
as that would be the proper behavior.  Sorry, I don’t have a pointer to that code,
but I am sure it would be easy to figure out.

> On Jul 27, 2016, at 1:57 PM, smm <st...@hcs.us.com> wrote:
> 
> Hello,
> 
> I've uncovered in our implementation and deployment of Shiro a race
> condition that can (and does) occur when a Session Expires.  Here are the
> steps that have to occur for us to "lose" the race:
> 
> 1) User logs in which creates a session.  Session is cached and persisted
> (to a MySQL database).
> 2) User does nothing right up until the session is about the expire.
> 3) User requests a JSP just before his session is about to expire.
> 4) Servlet gets the Subject.
> 5) ExecutorServiceSessionValidationScheduler expires the session and deletes
> it from the cache and database.
> 6) The Servlet tries to extract the Subject's Principal, but the session
> doesn't exist so it throws: javax.servlet.ServletException:
> org.apache.shiro.session.UnknownSessionException: There is no session with
> id [190fdf2a-daf7-41d2-aa3c-4eb2da9b33f2].
> 7) The user gets a 500 error (yikes!).
> 
> So my question is what normally should prevent this problem?  We have a
> custom SessionDAO, so I'm assuming the bug is in our implementation
> somewhere, but it wasn't obvious to me what is the best way to handle a
> Session being invalidated when some other thread has a handle to the
> Session.
> 
> I can, of course, post code, but I'm not really sure which code to post. 
> Oh, we're using Shiro 1.2.2.
> 
> Thanks!
> 
> --Stephen
> 
> 
> 
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Session-Expiration-race-condition-tp7581181.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>