[GLASSFISH-19070] Glassfish creates more than one http session in realm authentication Created: 11/Sep/12  Updated: 20/Dec/16  Resolved: 10/Oct/12

Status: Resolved
Project: glassfish
Component/s: web_container
Affects Version/s: 3.1.2
Fix Version/s: 4.0_dev

Type: Bug Priority: Critical
Reporter: lenz11 Assignee: Shing Wai Chan
Resolution: Fixed Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Tags: authentication, double, http, realm, sessions


When changeSessionIdOnAuthentication==true (default) and user authenticates with Realm - Glassfish calls sessions.setId(with_new_generated_id) which executes (through tellNew()): fireSessionEvent(Session.SESSION_CREATED_EVENT, null)
It is still the same session, but with new Id (no SESSION_DESTROYED_EVENT is called). This gives as a problem similar to:
http://stackoverflow.com/questions/11842343/glassfish-create-more-than-one-http-session-in-realm-authentication - and only half of sessions are being destroyed (see counter in administration panel: application monitoring/activeSessions).

This is because StandardSession.setId() calls method tellNew() even, if it is still the same session (but with new generated Id).

Now setId() method in web-core/src/main/java/org/apache/catalina/session/StandardSession.java looks like:

public void setId(String id)

{ if ((this.id != null) && (manager != null)) manager.remove(this); this.id = id; if (manager != null) manager.add(this); tellNew(); // this ALWAYS calls event: Session.SESSION_CREATED_EVENT }

but I think it should be something like this:

public void setId(String id)

{ if ((this.id != null) && (manager != null)) manager.remove(this); String old_id = this.id; this.id = id; if (manager != null) manager.add(this); if (old_id == null) tellNew(); // only call Session.SESSION_CREATED_EVENT if it is a new Session }

so the new session will be created only when old session Id is null.

Comment by Shing Wai Chan [ 10/Oct/12 ]

The fix has been checkin to GlassFish 4.0 b54 as follows:
r55887 | swchan2 | 2012-09-10 12:57:46 -0700 (Mon, 10 Sep 2012) | 2 lines

integrate javax.servlet-api 3.1-b02, implement changeSessionId


Generated at Thu Mar 23 10:16:03 UTC 2017 using JIRA 6.2.3#6260-sha1:63ef1d6dac3f4f4d7db4c1effd405ba38ccdc558.