DO NOT REPLY [Bug 51042] New: HttpSessionListener.sessionCreated() is called a second time when user is authenticated with no matching sessionDestroyed() call.

[bu...@apache.org]

https://issues.apache.org/bugzilla/show_bug.cgi?id=51042

           Summary: HttpSessionListener.sessionCreated() is called a
                    second time when user is authenticated with no
                    matching sessionDestroyed() call.
           Product: Tomcat 7
           Version: 7.0.11
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
        AssignedTo: dev@tomcat.apache.org
        ReportedBy: jsa@silbergrau.com


When my web application has a HttpSessionListener configured in its web.xml,
then that classes sessionCreated() is called when a user is assigned a new
session.

However, that method is *also* called when that user authenticates itself and
the session is assigned a new ID (whether or not this is actually a "new
session" can be disputed, but that's not the point of this bug).

When the session is removed (due to a timeout, for example), then a single
sessionDestroyed() call is executed.

When the HttpSessionListener manages some kind of external resource, this
behaviour leads to a resource leak, because sessionCreated() is called twice,
while sessionRemoved() is only called once!

I'm aware of the reason for changing the session ID and (somehow) understand
why sessionCreated() is called again (after all there's a new session ID), but
there must be *some* way for the SessionListener to be notified that the "old
session" no longer exists.

The same behaviour is seen in Tomcat 6.0 (and probably 5.5 as well, but I
didn't test that).

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 51042] HttpSessionListener.sessionCreated() is called a second time when user is authenticated with no matching sessionDestroyed() call.

[bu...@apache.org]

https://issues.apache.org/bugzilla/show_bug.cgi?id=51042

--- Comment #2 from Joachim Sauer <js...@silbergrau.com> 2011-04-08 05:57:14 EDT ---
(In reply to comment #1)
> By the way, the change that introduced this issue was the fix for bug #47774.

Oops, wrong bug number: #45255 is the correct one!

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 51042] HttpSessionListener.sessionCreated() is called a second time when user is authenticated with no matching sessionDestroyed() call.

[bu...@apache.org]

https://issues.apache.org/bugzilla/show_bug.cgi?id=51042

Konstantin Kolinko <kn...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #5 from Konstantin Kolinko <kn...@gmail.com> 2011-08-22 12:10:26 UTC ---
Fixed in 5.5.x and will be in 5.5.34.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 51042] HttpSessionListener.sessionCreated() is called a second time when user is authenticated with no matching sessionDestroyed() call.

[bu...@apache.org]

https://issues.apache.org/bugzilla/show_bug.cgi?id=51042

--- Comment #1 from Joachim Sauer <js...@silbergrau.com> 2011-04-08 05:56:27 EDT ---
By the way, the change that introduced this issue was the fix for bug #47774.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 51042] HttpSessionListener.sessionCreated() is called a second time when user is authenticated with no matching sessionDestroyed() call.

[bu...@apache.org]

https://issues.apache.org/bugzilla/show_bug.cgi?id=51042

--- Comment #4 from Mark Thomas <ma...@apache.org> 2011-06-14 11:41:58 UTC ---
Fixed in 6.0.x and will be included in 6.0.33 onwards.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 51042] HttpSessionListener.sessionCreated() is called a second time when user is authenticated with no matching sessionDestroyed() call.

[bu...@apache.org]

https://issues.apache.org/bugzilla/show_bug.cgi?id=51042

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|Catalina                    |Catalina
            Version|7.0.11                      |5.5.33
            Product|Tomcat 7                    |Tomcat 5

--- Comment #3 from Mark Thomas <ma...@apache.org> 2011-04-16 18:36:08 EDT ---
Fixed in 7.0.x for 7.0.13.

Proposed for 6.0.x and 5.5.x

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org