tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 37356] - Tomcat does not invalidate sessions after session-timeout period has passed.
Date Sun, 12 Mar 2006 14:24:32 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=37356>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=37356





------- Additional Comments From amasson@kikamedical.com  2006-03-12 14:24 -------
Since this a severe bug for our customers (because multiple concurrent sessions
are not allowed for a single user ID), I use the following simple workaround: 

1) A servlet Filter mapped to "/*" manages 2 session attributes (*):
- the end date of the last service() call, which is more interesting than the
access date
- the count of running service() calls

2) An HttpSessionListener maintains a list of all valid sessions.
It has a timer that checks at a fixed rate if any session in this list has expired.
The inactivity duration is computed from the end date of the last service(), so
long running requests are correctly handled.
Sessions that have at least one running service() are not invalidated, they are
checked later.

(*) the order of attribute updates is important to avoid a race condition that
can occur if the timer checks the session list between the two calls to
session.setAttribute().

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message