DO NOT REPLY [Bug 16874] New: - Same session of two different clients as a result of a lack in synchronization during recycling sessions

[bu...@apache.org]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16874>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16874

Same session of two different clients as a result of a lack in synchronization during recycling sessions

           Summary: Same session of two different clients as a result of a
                    lack in synchronization during recycling sessions
           Product: Tomcat 4
           Version: 4.1.18
          Platform: Other
        OS/Version: Other
            Status: NEW
          Severity: Critical
          Priority: Other
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: thomas.siedschlag@gmx.net


The expire(boolean notify) method of StandardSession is not safely synchronized.

    public void expire(boolean notify) {

        // Mark this session as "being expired" if needed
        if (expiring)
            return;
        expiring = true;

        ...

        expiring = false;

    }

In my opinion, it is possible that the expire() method can call twice. As a
result of that, the same session object will be added in the recycled list twice.
So the generateSession() of the ManagerBase will get the same session object
twice. As the result the same session will be shared by different clients!

So it were nice, if somebody with more background can review the source files
and comment this issue.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org