You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2005/03/29 21:21:02 UTC
DO NOT REPLY [Bug 34227] New: -
Simultanenous HttpRequests with shared HttpSession can leave it unable to timeout
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=34227>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=34227
Summary: Simultanenous HttpRequests with shared HttpSession can
leave it unable to timeout
Product: Tomcat 5
Version: 5.0.28
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: evl123@yahoo.com
In the course of testing our web application have determined a race condition
exists when simultaneous requests come in to tomcat sharing a session.
The results are that a session will never timeout.
Looking into the code and adding log entries, basically the StandardSession
mantains an access count to determine how many threads are using the session at
once. The counter is incremented at the beginning of the request and decremented
during the recyle at the end if the session object is not null. The race
condition must be that the shared session object becomes unavailable to recyle
and therefore is left with a positive access count.
The session monitor thread (in the StandardManager) uses the isValid to expire
timed out sessions. But when a positive access count remains the session is
always valid and therefore will never expire.
We've also confirmed this behavior on 5.5.8.
To see this effect, write a HttpSessionListener object for the web application
and monitor session creation and destruction with a counter and using jmeter
have a web page that has 2 javascript include tags calling each a servlet that
uses the session for processing. Run up the jmeter on the server and then note
the number of sessions that never expire, even though you can print out last
access times that are far into the past. This is easier to see right away if you
set session timeout to something low like a couple of minutes.
If I get a chance to put more time into this I will followup with more and
possibly have test files and scripts to highlight this.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org