tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 17591] New: - JDBCStore is not thread safe (sessions lost)
Date Mon, 03 Mar 2003 12:25:32 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17591>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17591

JDBCStore is not thread safe (sessions lost)

           Summary: JDBCStore is not thread safe (sessions lost)
           Product: Tomcat 4
           Version: 4.1.18
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Critical
          Priority: Other
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: ronald@klop.yi.org


The methods load, etc. in JDBCStore are not thread safe.


But they are called by more than one thread simultanious.


This gives a race condition with PreparedStatement, which can lead to sessions 
going to the wrong browser.


I send a mail to security@apache.org, who forwarded it to the tomcat developers 
about two weeks ago, but I haven't seen a change in the CVS about this yet.


In our webapp we've seen more than ones, that users got somebody elses session 
after a reload of the webapp in which all the sessions get saved to and loaded 
from the database.




The use of the Statements is also not always correct.


ResultSets are closed before all the data of the ResultSet is used.


Example:


in = BufferedInputStream(resultset.getBinaryStream("bla"));


resultset.close();


in.read(...);




I think this is also not thread safe. And wil succeed with small sessions, but 
fails if the serialized session is large.




I wil submit an untested patch for JDBCStore.load().

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message