Issue Details (XML | Word | Printable)

Key: GLASSFISH-19070
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Critical Critical
Assignee: Shing Wai Chan
Reporter: lenz11
Votes: 1
Watchers: 2

If you were logged in you would be able to see more operations.

Glassfish creates more than one http session in realm authentication

Created: 11/Sep/12 01:22 PM   Updated: 10/Oct/12 04:55 AM   Resolved: 10/Oct/12 04:55 AM
Component/s: web_container
Affects Version/s: 3.1.2
Fix Version/s: 4.0_b54

Time Tracking:
Not Specified

Tags: double http sessions realm authentication
Participants: lenz11 and Shing Wai Chan

 Description  « Hide

When changeSessionIdOnAuthentication==true (default) and user authenticates with Realm - Glassfish calls sessions.setId(with_new_generated_id) which executes (through tellNew()): fireSessionEvent(Session.SESSION_CREATED_EVENT, null)
It is still the same session, but with new Id (no SESSION_DESTROYED_EVENT is called). This gives as a problem similar to: - and only half of sessions are being destroyed (see counter in administration panel: application monitoring/activeSessions).

This is because StandardSession.setId() calls method tellNew() even, if it is still the same session (but with new generated Id).

Now setId() method in web-core/src/main/java/org/apache/catalina/session/ looks like:

public void setId(String id) { if (( != null) && (manager != null)) manager.remove(this); = id; if (manager != null) manager.add(this); tellNew(); // this ALWAYS calls event: Session.SESSION_CREATED_EVENT }

but I think it should be something like this:

public void setId(String id) { if (( != null) && (manager != null)) manager.remove(this); String old_id =; = id; if (manager != null) manager.add(this); if (old_id == null) tellNew(); // only call Session.SESSION_CREATED_EVENT if it is a new Session }

so the new session will be created only when old session Id is null.

Shing Wai Chan added a comment - 10/Oct/12 04:55 AM

The fix has been checkin to GlassFish 4.0 b54 as follows:
r55887 | swchan2 | 2012-09-10 12:57:46 -0700 (Mon, 10 Sep 2012) | 2 lines

integrate javax.servlet-api 3.1-b02, implement changeSessionId