Added protection against accidental removal of session cookie from response in
very unlikely scenario in which:
1. A servlet in Context A creates a session. The SessionTracker tracks
it. The request returns before the session expires.
2. While A's session is still active, a servlet in Context B creates a
It so happens that the session in B has the same sessionid as the one
that was generated in A. It also so happens that the request on which
the session is created in B is the same (pooled) request (with the
same SessionTracker!) on which the session in A had been created. It
also so happens that the session created in A expires before the
request returns from B.
In this case, the SessionTracker will get notfified of the session expiration,
and since the id of the expired session is the same as the session id it is
currently tracking, the SessionTracker will decrement its counter of tracked
sessions and remove the JSESSIONID cookie from the response if the counter has
dropped to zero.
The added protection will prevent this from happening, by having a
SessionTracker not only keep track of the session id it is tracking, but also of
the list of contexts whose sessions it is tracking (this list will be reset when
a request and its SessionTracker are recycled).
With this, when a SessionTracker is notified of a session destroyed event, it
will decrement its counter of tracked sessions (and remove the cookie from the
response if the counter has dropped to zero) only if
- the id of the destroyed session is equal to the session id being
tracked (existing check), AND
- the context of the destroyed session is amongst the contexts of the
sessions being tracked (new check).
Checking in SessionTracker.java;
new revision: 1.7; previous revision: 1.6