You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2002/08/27 10:56:24 UTC

DO NOT REPLY [Bug 12069] New: - Creation of more HttpSession objects for one previously timed out session

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12069>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12069

Creation of more HttpSession objects for one previously timed out session

           Summary: Creation of more HttpSession objects for one previously
                    timed out session
           Product: Tomcat 4
           Version: 4.0.4 Final
          Platform: PC
        OS/Version: Windows NT/2K
            Status: NEW
          Severity: Major
          Priority: Other
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: vminarik@ips-ag.cz


Tomcat creates more than one HttpSession object when it gets two or more
requests with invalid (old, timed out) session cookie concurrently.
For example the server gets two requests with old cookie, checks that the
session object has timed out and creates two new HttpSession objects instead
of only one.

If you store some data to the session attributes when processing both requests,
you cannot be sure which data (of these two requests) will be there by the next
request, because you cannot influence which cookie will the browser use the
next time. The browser gets with these two responses also two different cookies,
and probably uses the one which comes later with next request. So you lose all
the data stored to the session from the request which finished first.

How to reproduce:
Download my testing source from
http://bimbo.fjfi.cvut.cz/~minarikv/jsp/sessions.zip
or make a JSP with the HTML similar to the following:

&lt;script&gt;
  function onLink()
  {
    window.open
( 'secondRequest.jsp', 'wizard', 'width=400px,height=250px,resizable=yes');
  }
&lt;/script&gt;
&lt;a href="firstRequest.jsp" onclick="onLink();"&gt;link&lt;/a&gt;

Note:
This is not a browser problem (tested in MSIE 5.0, MSIE 5.5, MSIE 6.0,
Netscape 4.77, and Opera 6.01 with the same result: two sessions were created).
The problem must be solved at Tomcat side, when it gets an old cookie more than
once.

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>