Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 52553 invoked from network); 13 Oct 2005 17:09:10 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 13 Oct 2005 17:09:10 -0000 Received: (qmail 27754 invoked by uid 500); 13 Oct 2005 17:09:03 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 27704 invoked by uid 500); 13 Oct 2005 17:09:03 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 27693 invoked by uid 99); 13 Oct 2005 17:09:03 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 13 Oct 2005 10:09:03 -0700 Received-SPF: pass (asf.osuosl.org: local policy) Received: from [192.18.98.36] (HELO brmea-mail-4.sun.com) (192.18.98.36) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 13 Oct 2005 10:09:05 -0700 Received: from phys-d3-ha21sca-2 ([129.145.155.165]) by brmea-mail-4.sun.com (8.12.10/8.12.9) with ESMTP id j9DH8gvD027858 for ; Thu, 13 Oct 2005 11:08:42 -0600 (MDT) Received: from conversion-daemon.ha21sca-mail1.sfbay.sun.com by ha21sca-mail1.sfbay.sun.com (iPlanet Messaging Server 5.2 HotFix 1.24 (built Dec 19 2003)) id <0IOB00E016749F@ha21sca-mail1.sfbay.sun.com> (original mail from Jan.Luehe@Sun.COM) for dev@tomcat.apache.org; Thu, 13 Oct 2005 10:09:01 -0700 (PDT) Received: from sun.com (raga2.SFBay.Sun.COM [129.145.132.30]) by ha21sca-mail1.sfbay.sun.com (iPlanet Messaging Server 5.2 HotFix 1.24 (built Dec 19 2003)) with ESMTP id <0IOB003D36B029@ha21sca-mail1.sfbay.sun.com> for dev@tomcat.apache.org; Thu, 13 Oct 2005 10:09:01 -0700 (PDT) Date: Thu, 13 Oct 2005 10:08:41 -0700 From: Jan Luehe Subject: Re: Problem with session invalidation in target context of a RD.include() In-reply-to: <20051013023826.25178.qmail@web40623.mail.yahoo.com> To: Tomcat Developers List Reply-to: Jan.Luehe@Sun.COM Message-id: <434E9499.8050206@sun.com> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT X-Accept-Language: en-US User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.4) Gecko/20041214 References: <20051013023826.25178.qmail@web40623.mail.yahoo.com> X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Hi Yoav, Yoav Shapira wrote On 10/12/05 19:38,: > Hi, > I don't want to chop off any parts of your email because it nicely establishes > the context for the question, so I'll leave it all below. Thanks! > It's not obvious to me that option #1 is not acceptable. It raises the bar on > the includer, perhaps, but it's not obviously unacceptable. Am I missing some > relevant portion of the Servlet Spec here? No. I agree Option 1 raises the bar on the includer, but not every includer may be aware of it. If only the includer needed to be aware of this, Option 1 may not be so unacceptable, but in the case where the includer issues multiple RD.include() operations in parallel, the issue becomes more serious. For example, the portal server (webapp) simultaneosuly executes several portlets (from different webapps) aggregated on a portal page, by spawning as many threads and having each thread perform a RD.include() to the target portlet. If any of the portlets acquire a session, invalidate it, and then request a new session, Option 1 would require not only the session in the origin context, but any session in any of the other portlets to be invalidated as well, because the session in the origin context and the sessions in the target (portlet) contexts all share the same id. With Option 2, neither the session in the origin context nor the sessions in any of the other portlets would be affected. Jan > > Yoav > > --- Jan Luehe wrote: > > >>I have a question regarding session invalidation in the target context >>of a RequestDispatcher.include(). >> >>Some background info: The current impl of package >>org.apache.catalina.core.ApplicationHttpRequest.getSession() creates a >>session in the target context of a RD.include() as follows: >> >>- Checks if the origin context has any active session. >>- If the origin context has no active session, creates a session in >> the origin context. >>- Creates a session in the target context, and assigns to it the >> id of the session in the origin context. >> >>The requirement of having the sessions in the origin and target >>contexts share the same session id is due to the fact that any context >>that is the target of a RD.include() must not change any of the >>response headers (and therefore must not add any Set-Cookie response >>header) as per the Servlet Spec (SRV.8.3). >> >>This approach has worked well - as long as the target context >>does not decide to invalidate its session and acquire a new >>session. In that scenario, the current impl returns the invalidated >>session as the new session, causing IllegalStateException to be thrown >>when the session is accessed. This is because we currently don't >>check if "localSession", which is assigned as follows: >> >> localSession = context.getManager().findSession(other.getId()); >> >>is valid before returning it. >> >>We can easily fix this so that the invalidated session is no longer >>returned, but what should the newly generated session look like? >>I can see the following options: >> >>If the target context invalidates its session and then requests a new >>session .... >> >>- OPTION 1: >> >> ... we also invalidate the session in the origin context, create >> a new session in the origin context, create a new session in the >> target context, and assign the id of the new session in the origin >> context to the new session in the target context. Obviously, this >> option is unacceptable as it destroys any session data in the origin >> context. >> >>- OPTION 2: >> >> ... in the target context, we purge the invalidated session immediately >> before creating a new session and assigning to it the session id >> of the invalidated session (which is still equal to the id of the >> session in the origin context). This approach would violate the >> uniqueness requirement of session ids per context, but I don't see >> this as a problem, because this is happening within the same request. >> >> >>Any other opinions? >> >> >>Thanks, >> >> >>Jan >> >> >>--------------------------------------------------------------------- >>To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org >>For additional commands, e-mail: dev-help@tomcat.apache.org >> >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org > For additional commands, e-mail: dev-help@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org