-
1. Re: Bug in Undertow InMemorySessionManager
dvayanu Sep 24, 2018 11:19 AM (in response to dvayanu)Just wanted to make clear what are the consequences of this behaviour. One of my clients is using wildfly to host a web-shop. In the web-shop the basket will be saved in a session. However, prices do change from time to time, so there is a process that runs through all the sessions, looks at all the baskets and check if prices in the basket have to be adjusted. This leads effectively to session which would never expire and servers blowing up.
-
2. Re: Bug in Undertow InMemorySessionManager
mchoma Sep 26, 2018 2:00 AM (in response to dvayanu)Are you refering to Java Servlet 3.1 Specification chapter 7.5 Session Timeouts? Could you write down which sentence you have in mind exactly?
But yes I have got your point. But this is general problem bumpTimeout is also in setAttribute, removeAttribute, getAttributeNames, getId. Question here is how should be "user interaction" detected reliably.
swd847 what do you think?
-
3. Re: Bug in Undertow InMemorySessionManager
jstourac Sep 26, 2018 3:25 AM (in response to mchoma)Martin, I would correct the list of methods where 'bumpTimeout' is actually used in InMemorySessionManager to following: createSession(), setMaxInactiveInterval(), getAttribute(), getAttributeNames(), setAttribute(), removeAttribute(). From this list usage in following methods is suspicious: getAttribute(), getAttributeNames(), setAttribute(), removeAttribute().
All occurrences were added by this commit [2] with initial session timeout implementation.
The truth is the Servlet 4.0, section 7.5 [3] specification (Servlet 3.1 is almost identical) specifies that timeout depends on user activity only:
"This means that the only mechanism that can be used to indicate when a client is no longer active is a time out period."
User interaction by common sense should mean some client request. Yeah, it looks like a bug to me, but swd847 should take a look.
[1] undertow/InMemorySessionManager.java at master · undertow-io/undertow · GitHub
[2] Implement session timeout · undertow-io/undertow@be768b6 · GitHub
[3] https://javaee.github.io/servlet-spec/downloads/servlet-4.0/servlet-4_0_FINAL.pdf
-
4. Re: Bug in Undertow InMemorySessionManager
adamkrajcik Oct 4, 2018 9:27 AM (in response to dvayanu)I created JIRAs to track progress on this: WFLY-11115[1] UNDERTOW-1419[2]
[1] [WFLY-11115] bumpTimeout method usage in InMemorySessionManager - JBoss Issue Tracker
[2] [UNDERTOW-1419] bumpTimeout method usage in InMemorySessionManager - JBoss Issue Tracker