4 Replies Latest reply on Oct 4, 2018 9:27 AM by Adam Krajcik

    Bug in Undertow InMemorySessionManager

    Leon Rosenberg Newbie

      Hello,

       

      I was recently investigating an issue with sessions in our application and tracked it down to InMemorySessionManager. In the local class SessionImpl there is a method getAttribute:

      @Override
      public Object getAttribute(final String name) {

         if (invalid) {

         throw UndertowMessages.MESSAGES.sessionNotFound(sessionId);

        }

        bumpTimeout();

         return attributes.get(name);

      }

       

      The call to bumpTimeout() would prevent session from expiring. However, this is against the spec (7.5) and common sense, since the session should only be dependent on user requests, not some crazy code accessing attributes.

      Is there any particular logic here? I checked tomcat and it's logic (also different via lastAccessTimestamp) is not influenced by accessing the attributes. Since jboss used to used tomcat as servlet engine prior to 8, why change in such a harsh way?

      Or am I just misreading the code?

       

      regards

      Leon