glassfish
  1. glassfish
  2. GLASSFISH-19070

Glassfish creates more than one http session in realm authentication

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 3.1.2
    • Fix Version/s: 4.0_b54
    • Component/s: web_container
    • Labels:
      None

      Description

      When changeSessionIdOnAuthentication==true (default) and user authenticates with Realm - Glassfish calls sessions.setId(with_new_generated_id) which executes (through tellNew()): fireSessionEvent(Session.SESSION_CREATED_EVENT, null)
      It is still the same session, but with new Id (no SESSION_DESTROYED_EVENT is called). This gives as a problem similar to:
      http://stackoverflow.com/questions/11842343/glassfish-create-more-than-one-http-session-in-realm-authentication - and only half of sessions are being destroyed (see counter in administration panel: application monitoring/activeSessions).

      This is because StandardSession.setId() calls method tellNew() even, if it is still the same session (but with new generated Id).

      Now setId() method in web-core/src/main/java/org/apache/catalina/session/StandardSession.java looks like:

      public void setId(String id)

      { if ((this.id != null) && (manager != null)) manager.remove(this); this.id = id; if (manager != null) manager.add(this); tellNew(); // this ALWAYS calls event: Session.SESSION_CREATED_EVENT }

      but I think it should be something like this:

      public void setId(String id)

      { if ((this.id != null) && (manager != null)) manager.remove(this); String old_id = this.id; this.id = id; if (manager != null) manager.add(this); if (old_id == null) tellNew(); // only call Session.SESSION_CREATED_EVENT if it is a new Session }

      so the new session will be created only when old session Id is null.

        Activity

          People

          • Assignee:
            Shing Wai Chan
            Reporter:
            lenz11
          • Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: