tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 25792] - Session timeout implemented incorrectly
Date Tue, 30 Dec 2003 14:29:14 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25792>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25792

Session timeout implemented incorrectly





------- Additional Comments From jarno.peltoniemi@uta.fi  2003-12-30 14:29 -------
The session timeout in Tomcat seems to be implemented in a way that doesn't take
the background clean-up thread into account.

StandardSession has two variables:
thisAccessedTime - the time for current request
lastAccessedTime - the time for last request (needed by
HttpSession.getLastAccessedTime)

The times are updated only once per request by the container so that
HttpSession.getLastAccessedTime() returns the time of the previous request. The
same variable is later used by the background thread to determine if the session
should be invalidated. Therefore the background cleanup thread checks the access
time of the _second_ latest request. This explains why 1 min refresh period
works with 3 min timeout while 2min refresh period does not. Isn't it possible
that the session could even be invalidated while processing a request?

Quick'n'dirty fix would be as follows:
======
diff -u -b -r1.26 StandardSession.java
--- StandardSession.java        29 Nov 2003 18:06:35 -0000      1.26
+++ StandardSession.java        30 Dec 2003 12:52:44 -0000
@@ -584,7 +584,7 @@

         if (maxInactiveInterval >= 0) {
             long timeNow = System.currentTimeMillis();
-            int timeIdle = (int) ((timeNow - lastAccessedTime) / 1000L);
+            int timeIdle = (int) ((timeNow - thisAccessedTime) / 1000L);
             if (timeIdle >= maxInactiveInterval) {
                 expire(true);
             }
======

More elaborate way would be to cache the lastAccessedTime in the
httpsessionfacade and update the StandardSession.lastAccessedTime directly w/o
the thisAccessedTime in between. I could write the more elaborate
patch if someone is willing to commit it.

Please comment.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message