tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 51812] New: Tomcat access logging "tickles" session causing session to never time out
Date Wed, 14 Sep 2011 17:11:40 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=51812

             Bug #: 51812
           Summary: Tomcat access logging "tickles" session causing
                    session to never time out
           Product: Tomcat 7
           Version: 7.0.14
          Platform: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
        AssignedTo: dev@tomcat.apache.org
        ReportedBy: danlee5002@gmail.com
    Classification: Unclassified


I have created a web app (servlet application) that does asynchronous hits from
the browser to periodically fetch some status information and update the page. 
These asynchronous hits are directed to a dedicated servlet in the same webapp
that takes great pains to never touch the session so that the session access
time is not modified.  The idea is that these asynchronous hits don't count as
real hits else the session would never idle time out.

This worked fine on Tomcat-6.0.14.  Upgrading to Tomcat-7.0.14 causes a problem
in that these asynchronous hits are updating the session access time.

I have traced the problem down to
org.apache.catalina.valves.AccessLogValve.java.  When it is doing its logging,
it is trying to fetch the "principal" object from the session and thus changing
the session last access time.  This does not seem to be legitimate.

Here is the relevant code:

 /**
  * Enforce the security restrictions in the web application deployment
  * descriptor of our associated Context.
  *
  * @param request Request to be processed
  * @param response Response to be processed
  *
  * @exception IOException if an input/output error occurs
  * @exception ServletException if thrown by a processing element
  */
 @Override
 public void invoke(Request request, Response response)
    throws IOException, ServletException {

    if (log.isDebugEnabled())
        log.debug("Security checking request " +
            request.getMethod() + " " + request.getRequestURI());
    LoginConfig config = this.context.getLoginConfig();

    // Have we got a cached authenticated Principal to record?
    if (cache) {
        Principal principal = request.getUserPrincipal();
        if (principal == null) {
            Session session = request.getSessionInternal(false);  <- Session
Ticked Here
            if (session != null) {
                principal = session.getPrincipal();
                if (principal != null) {
                    if (log.isDebugEnabled())
                        log.debug("We have cached auth type " +
                            session.getAuthType() +
                            " for principal " +
                            session.getPrincipal());
                    request.setAuthType(session.getAuthType());
                    request.setUserPrincipal(principal);
                }
            }
        }

Changing the source code so that cache=false, solves the problem and the
session access time is not affected by these asynchronous hits.  I cannot find
a way to set cache=false other than changing source.  Adding cache="false" to
the Valve tag in server.xml seems to have no effect.  

It would be nice if this parameter were controllable or if the code did not
have this characteristic.  Logging should not effect the user's session.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message