Opened 11 years ago

Closed 10 years ago

#3458 defect closed fixed (fixed)

Expired session can be revived

Reported by: mthuurne Owned by:
Priority: normal Milestone:
Component: web Keywords:
Cc: Branch:


The Request.getSession() method does not check whether an existing session has already expired. Also, it calls Session.touch(), so if the session was expired (past its sessionTimeout) but was not cleaned up yet (before the sessionCheckTime), it will be revived.

The time between session expiry and session cleanup can be at most (sessionCheckTime - sessionTimeout) seconds, which is 15 minutes with the default values. Fixing #3457 would reduce the delay between expiry and cleanup, but may or may not eliminate it, depending on the strategy chosen. If this delay is eliminated, the expired session revival could not occur anymore, otherwise it would require a separate bugfix.

One solution would be to have Request.getSession() treat expired sessions like they don't exist and create a new session if the previous one expired. Another solution would be to have Site.getSession(), which is used by Request.getSession(), return only non-expired sessions. I prefer the latter, since it prevents expired sessions from being used in other places besides Request.

Change History (2)

comment:1 Changed 10 years ago by Jean-Paul Calderone

Resolution: fixed
Status: newclosed

The fix for #3457, r26133, removed the possibility for this.

comment:2 Changed 8 years ago by <automation>

Owner: jknight deleted
Note: See TracTickets for help on using tickets.