tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 37356] - Tomcat does not invalidate sessions after session-timeout period has passed.
Date Fri, 10 Mar 2006 12:04:25 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=37356>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=37356





------- Additional Comments From tm@allocation.net  2006-03-10 12:04 -------
(In reply to comment #25)
> (In reply to comment #24)
> > Proposed patch:
> 
> -1. Pretend you read my comment.

Well, apart from the fact that I wrote my comment while you posted yours
(mid-air-collision)

I don't see any obvious reason against syncing the accessCount with the volatile
keyword. The accesscount obviously needs to be synchronized in some way (or be
removed, which I don't fancy because of large, time consuming, downloads).
Of course I would be happy to improve my understanding, so please explain. 

For the "rare" issue. We see quite some of these stale sessions. (appx. 2-10 a day)
I'm not saying that this is a major security issue, but it over time it gives an
attacker quite a chance to guess some sessionId.

Many people will not even be aware of this issue, because you can only see it if
you keep track of sessions yourself. All others might take a look into the
manager application and enjoy the number of concurrent users they usually have,
not knowing those sessions should have expired a long time ago.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message