Opened 6 years ago

Closed 6 years ago

#3458 defect closed fixed (fixed)

Expired session can be revived

Reported by: mthuurne Owned by:
Priority: normal Milestone:
Component: web Keywords:
Cc: Branch:
Author: Launchpad Bug:

Description

The Request.getSession() method does not check whether an existing session has already expired. Also, it calls Session.touch(), so if the session was expired (past its sessionTimeout) but was not cleaned up yet (before the sessionCheckTime), it will be revived.

The time between session expiry and session cleanup can be at most (sessionCheckTime - sessionTimeout) seconds, which is 15 minutes with the default values. Fixing #3457 would reduce the delay between expiry and cleanup, but may or may not eliminate it, depending on the strategy chosen. If this delay is eliminated, the expired session revival could not occur anymore, otherwise it would require a separate bugfix.

One solution would be to have Request.getSession() treat expired sessions like they don't exist and create a new session if the previous one expired. Another solution would be to have Site.getSession(), which is used by Request.getSession(), return only non-expired sessions. I prefer the latter, since it prevents expired sessions from being used in other places besides Request.

Change History (2)

comment:1 Changed 6 years ago by exarkun

  • Resolution set to fixed
  • Status changed from new to closed

The fix for #3457, r26133, removed the possibility for this.

comment:2 Changed 3 years ago by <automation>

  • Owner jknight deleted
Note: See TracTickets for help on using tickets.