You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/02/07 12:32:25 UTC
DO NOT REPLY [Bug 16874] New: -
Same session of two different clients as a result of a lack in synchronization during recycling sessions
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16874>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16874
Same session of two different clients as a result of a lack in synchronization during recycling sessions
Summary: Same session of two different clients as a result of a
lack in synchronization during recycling sessions
Product: Tomcat 4
Version: 4.1.18
Platform: Other
OS/Version: Other
Status: NEW
Severity: Critical
Priority: Other
Component: Catalina
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: thomas.siedschlag@gmx.net
The expire(boolean notify) method of StandardSession is not safely synchronized.
public void expire(boolean notify) {
// Mark this session as "being expired" if needed
if (expiring)
return;
expiring = true;
...
expiring = false;
}
In my opinion, it is possible that the expire() method can call twice. As a
result of that, the same session object will be added in the recycled list twice.
So the generateSession() of the ManagerBase will get the same session object
twice. As the result the same session will be shared by different clients!
So it were nice, if somebody with more background can review the source files
and comment this issue.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org