You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2010/05/04 12:57:36 UTC
DO NOT REPLY [Bug 49245] New: Servlet called with cross-context
request can access a stale session
https://issues.apache.org/bugzilla/show_bug.cgi?id=49245
Summary: Servlet called with cross-context request can access a
stale session
Product: Tomcat 6
Version: 6.0.26
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: minor
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: knst.kolinko@gmail.com
Created an attachment (id=25396)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=25396)
webapps.zip
When a servlet is called using cross-context forward/include call from another
web application, its call to request.getSession(boolean) may return a session
which was inactive for longer than configured session-timeout.
This issue was fixed in trunk in r926716
To reproduce:
1. Unzip the attached archive and deploy the two web applications contained
there, "expire" and "expireB". "expireB" is configured to have session-timeout
of one minute.
2. Access http://localhost:8080/expire/
The index.jsp page there will print current time and will display two sessions
from both web applications.
3. Wait for 65-70 seconds and once more access http://localhost:8080/expire/
You may see the following output:
[[[
Current time: Tue May 04 14:44:16 MSD 2010
expire/index.jsp: Session:
id: 6124AB5790D0ABF2CD6472D63EE5332D
isNew: false
getCreationTime: Tue May 04 14:43:04 MSD 2010
getLastAccessedTime: Tue May 04 14:43:04 MSD 2010
expireB/index.jsp: Session:
id: 6124AB5790D0ABF2CD6472D63EE5332D
isNew: false
getCreationTime: Tue May 04 14:43:05 MSD 2010
getLastAccessedTime: Tue May 04 14:43:05 MSD 2010
]]]
Current time is 14:44:16 which is more that 1 minute more than lastAccessedTime
of expireB session, 14:43:05. Observed: "expireB" reuses an old session.
Expected: to use a new session (isNew: true) in "expireB".
I think this issue is a minor one, because it looks as the effective value for
session-timeout configuration option is slightly greater that its literal
value:
1) I observed no problems with the session. Even if the session was a stale
one, session.access() call prolongs its lifetime. There was no
IllegalStateException when calling its methods.
2) There is a background thread that cleans stale sessions once in several
minutes (calls ManagerBase#processExpires()). This limits the difference
between effective and literal values of session-timeout.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 49245] Servlet called with cross-context request
can access a stale session
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49245
Konstantin Kolinko <kn...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #1 from Konstantin Kolinko <kn...@gmail.com> 2010-05-04 07:12:50 EDT ---
Fixed in 6.0 in r940804 and will be in 6.0.27 onwards.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org