You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by David Rees <dr...@gmail.com> on 2014/05/29 09:58:56 UTC

Tomcat 7.0.54 - Session invalidate broken in some apps

I've found that certain applications will no longer invalidate
sessions after upgrading from 7.0.53 to 7.0.54.

It seems to require clustering to be set up in Tomcat. If it's not set
up, session invalidation works fine.

So far, I can only trigger it in a webapp that uses Tapestry Spring Security.

I see a few changes in the changelog related to session invalidate and
clustering, could one of these changes be responsible?

Anyone else see the same issue?

-Dave

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat 7.0.54 - Session invalidate broken in some apps

Posted by David Rees <dr...@gmail.com>.

On Thu, May 29, 2014 at 6:16 PM, David Rees <dr...@gmail.com> wrote:
> I'll open a ticket with these details, too.

https://issues.apache.org/bugzilla/show_bug.cgi?id=56578

-Dave

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat 7.0.54 - Session invalidate broken in some apps

Posted by David Rees <dr...@gmail.com>.

On Thu, May 29, 2014 at 12:39 PM, David Rees <dr...@gmail.com> wrote:
>
> Yes. Specifics to make this happen seem to be:
>
> TC 7.0.54 in a cluster, Tapestry 5.2.6 + Tapestry Spring Security.

OK, I was wrong, no Tapestry or Spring Security is required, just a
couple JSPs are required to reproduce. Key is that clustering needs to
be enabled.

Drop these two JSP files into your 7.0.54 cluster enabled web app.

/** session.jsp **/

<%@page session="true"%>
<html>
<body>
<table>
<tr><td>Session creation time:</td><td><%= session.getCreationTime()
%></td></tr>
<tr><td>Session last accessed:</td><td><%=
session.getLastAccessedTime() %></td></tr>
<tr><td>Current time:</td><td><%= System.currentTimeMillis() %></td></tr>
<tr><td>Is Session Id from URL?:</td><td><%=
request.isRequestedSessionIdFromURL() %></td></tr>
<tr><td><a href="session.jsp">Reload Page</a></td><td><a
href="invalidate.jsp">Invalidate</a></td></tr>
</table>
</body>
</html>

/** invalidate.jsp **/
<%
request.getSession().invalidate();
response.sendRedirect("session.jsp");
%>

Make sure
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
is added to the Host of the webapp you dropped the files above into.

Clicking on Reload Page will show the same creation time. On a 7.0.53
if you click on Invalidate, you will get a new creation time. On
7.0.54, you do not.

I'll open a ticket with these details, too.

-Dave

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat 7.0.54 - Session invalidate broken in some apps

Posted by David Rees <dr...@gmail.com>.

On Thu, May 29, 2014 at 12:16 PM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> Do you mean that you have a web application that does this:
>
>   session.invalidate();
>   session = request.getSession(true);
>
> ... and the old session is in fact not invalidated?

Yes. Specifics to make this happen seem to be:

TC 7.0.54 in a cluster, Tapestry 5.2.6 + Tapestry Spring Security.

7.0.53 is OK.
7.0.54 standalone is OK
Tapestry App without spring security is OK.
Plain old servlet apps work fine.

> Please demonstrate that the session is in fact not validated. Given
> your description, if this is really happening, it should be trivial to
> create a test-case.

Yes, just haven't had the time yet.

-Dave

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat 7.0.54 - Session invalidate broken in some apps

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

David,

On 5/29/14, 3:12 PM, David Rees wrote:
> On Thu, May 29, 2014 at 8:51 AM, Konstantin Kolinko 
> <kn...@gmail.com> wrote:
>> 2014-05-29 11:58 GMT+04:00 David Rees <dr...@gmail.com>:
>>> I've found that certain applications will no longer invalidate 
>>> sessions after upgrading from 7.0.53 to 7.0.54.
>>> 
>>> It seems to require clustering to be set up in Tomcat. If it's
>>> not set up, session invalidation works fine.
>>> 
>>> So far, I can only trigger it in a webapp that uses Tapestry
>>> Spring Security.
>>> 
>>> I see a few changes in the changelog related to session
>>> invalidate and clustering, could one of these changes be
>>> responsible?
>> 
>> What are the symptoms?
> 
> The symptoms are that you expect the current session to be
> invalidated and issued a new session on subsequent requests, but
> instead the session remains valid and all data in the session
> remains.

Do you mean that you have a web application that does this:

  session.invalidate();
  session = request.getSession(true);

... and the old session is in fact not invalidated?

>> Is there anything unusual in the log files?
> 
> Nothing in the logs as far as I can tell.
> 
>> Is a single web application affected, or it spans several
>> applications (via Single Sign On)?
> 
> Only a single web application affected.
> 
>> You may consider debugging. 
>> http://wiki.apache.org/tomcat/FAQ/Developing#Debugging
>> 
>> You may consider simplifying you configuration to build a simple 
>> reproduce scenario for a bug report.
> 
> Yes, those are my next steps, just haven't gotten that far yet and 
> wanted to see if anyone else was seeing anything similar.

Please demonstrate that the session is in fact not validated. Given
your description, if this is really happening, it should be trivial to
create a test-case.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTh4eHAAoJEBzwKT+lPKRYaggP/1+ImY4rFsro1aA0Rc6LeTWE
SV0wm/Ic7Elux15nr9wWFHDPi1k6RhpLp1TcI9RS8dpw0sXMjMjg2iMjZQn2+ETe
7gr3nI8vnzz6lYcnPmI9ckC0nOXB5J/1UcdE7M8P/tmKmYhZBXX1PdvIx5mwkowH
YojmXzmtt8GfFAfuux0xv5RgcfpXbz9VmjSmfZxD6zlIuoa0pxkYHgNGKsFatMYd
vK8yDUsBd+yOHRFMev6iO1XrePNRa8xOtwfKYeDQQ/kQNB1pqW0tQ2jJ1+NSMbVc
WWM1SgS44NFatrQgUqX0uMKM2q8Jx57CnSlXGrk0yIiGMcOp+egXt1i8XTSdY92f
gxHbwfkmz7U/dGztnjQxSAjerNFGFS8puaCHW6Ot5EThT9MQDytYkhwcFAqK3Zmg
R1zqPj+MYQb8IBDQ1HaV57d0xhLFErriCPShsb9dH9Hubo77DOPUc3TkdLJJ9f4C
eq+dyCO/Rt4JQEu5myWJsQAczZoZoFQYm3QOhaTNMxq/KzQ5ZDcfwmIpF4J8wWtM
0SFoqTYVQAFCYUHBNDgro+F3TpA55dwhTofOk3h4DcmDPAXucq7aq2cs5+FIiQS3
7MHDkDPPQr4gI+mGVPIZRGrUbpQ54+EhNUYga722knkaxDzkP9UxW5kix63bEDck
Pdbe3wXdaaO3ZRms0kGf
=/iQW
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat 7.0.54 - Session invalidate broken in some apps

Posted by David Rees <dr...@gmail.com>.

On Thu, May 29, 2014 at 8:51 AM, Konstantin Kolinko
<kn...@gmail.com> wrote:
> 2014-05-29 11:58 GMT+04:00 David Rees <dr...@gmail.com>:
>> I've found that certain applications will no longer invalidate
>> sessions after upgrading from 7.0.53 to 7.0.54.
>>
>> It seems to require clustering to be set up in Tomcat. If it's not set
>> up, session invalidation works fine.
>>
>> So far, I can only trigger it in a webapp that uses Tapestry Spring Security.
>>
>> I see a few changes in the changelog related to session invalidate and
>> clustering, could one of these changes be responsible?
>
> What are the symptoms?

The symptoms are that you expect the current session to be invalidated
and issued a new session on subsequent requests, but instead the
session remains valid and all data in the session remains.

> Is there anything unusual in the log files?

Nothing in the logs as far as I can tell.

> Is a single web application affected, or it spans several applications
> (via Single Sign On)?

Only a single web application affected.

> You may consider debugging.
> http://wiki.apache.org/tomcat/FAQ/Developing#Debugging
>
> You may consider simplifying you configuration to build a simple
> reproduce scenario for a bug report.

Yes, those are my next steps, just haven't gotten that far yet and
wanted to see if anyone else was seeing anything similar.

Thanks

Dave

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat 7.0.54 - Session invalidate broken in some apps

Posted by Konstantin Kolinko <kn...@gmail.com>.

2014-05-29 11:58 GMT+04:00 David Rees <dr...@gmail.com>:
> I've found that certain applications will no longer invalidate
> sessions after upgrading from 7.0.53 to 7.0.54.
>
> It seems to require clustering to be set up in Tomcat. If it's not set
> up, session invalidation works fine.
>
> So far, I can only trigger it in a webapp that uses Tapestry Spring Security.
>
> I see a few changes in the changelog related to session invalidate and
> clustering, could one of these changes be responsible?
>

What are the symptoms?

Is there anything unusual in the log files?

Is a single web application affected, or it spans several applications
(via Single Sign On)?

You may consider debugging.
http://wiki.apache.org/tomcat/FAQ/Developing#Debugging

You may consider simplifying you configuration to build a simple
reproduce scenario for a bug report.

> Anyone else see the same issue?
>

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org