Expired session can be revived
|Reported by:||mthuurne||Owned by:|
The Request.getSession() method does not check whether an existing session has already expired. Also, it calls Session.touch(), so if the session was expired (past its sessionTimeout) but was not cleaned up yet (before the sessionCheckTime), it will be revived.
The time between session expiry and session cleanup can be at most (sessionCheckTime - sessionTimeout) seconds, which is 15 minutes with the default values. Fixing #3457 would reduce the delay between expiry and cleanup, but may or may not eliminate it, depending on the strategy chosen. If this delay is eliminated, the expired session revival could not occur anymore, otherwise it would require a separate bugfix.
One solution would be to have Request.getSession() treat expired sessions like they don't exist and create a new session if the previous one expired. Another solution would be to have Site.getSession(), which is used by Request.getSession(), return only non-expired sessions. I prefer the latter, since it prevents expired sessions from being used in other places besides Request.