The class org.jasig.cas.client.session.HashMapBackedSessionMappingStorage contains 2 maps:
private final Map<String, HttpSession> MANAGED_SESSIONS = new HashMap<String, HttpSession>(); private final Map<String, String> ID_TO_SESSION_KEY_MAPPING = new HashMap<String, String>(); There is a part of CAS client, that listens on server events and clears that storage on session destroy. That code is in org.jasig.cas.client.session.SingleSignOutHttpSessionListener. The problem is that the public API of the javax.servlet.http.HttpServletRequest has a method (from servlet v3.1): String changeSessionId(); That method doesn't destroy a session, but changes its id. This type of action doesn't affect the maps in the HashMapBackedSessionMappingStorage. It causes memory leak, because session with changed id cannot be removed from the storage. Changing session id is the default of Spring implementation of session fixation, so the problem may be popular in the future. The default is implemented in org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy and is created as default in org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer#createDefaultSessionFixationProtectionStrategy. Possible fix: implement listener that implements javax.servlet.http.HttpSessionIdListener that manipulates the maps in HashMapBackedSessionMappingStorage. I've implemented this, but I cannot push my branch into https://github.com/apereo/java-cas-client: ERROR: Permission to apereo/java-cas-client.git denied to krzysztofslusarski. fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. Can I get right to perform push and do a pull request? Best regards, Krzysztof Ślusarski -- You received this message because you are subscribed to the Google Groups "CAS Developer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/CACjVSqEk5sTLLFhVXL8K7%3Dkb-cYJnnWYv%3D%2B5j6Q6U01yFS4msg%40mail.gmail.com.
