GitHub user aschwarte10 added a comment to the discussion: [Bug] Unexpected session expiration behavior on ARM64 architecture (Concurrency Issue)
Unfortunately no idea what the actual issue is. We were receiving reports from our users that sessions expired, and over the last weeks we attempted to get an understanding. The only common denominator was ARM architecture. Before Christmas we managed to get it reproducible eventually with a heavy JMeter workload (100 Threads, hammering HTTP requests all using the same session id). We also attempted to get an explanation from languange models. This may provide an underlying cause, but I am personally way to far away from the low levels processing to follow that Here is the main output - maybe it helps to get further understanding > The Diagnosis: Thread Safety on ARM64 Apache Shiro's default SimpleSession implementation is not thread-safe. It uses standard Java fields (e.g., private Date lastAccessTime) without volatile keywords or synchronization. On x86 processors (Intel/AMD), the hardware enforces a "Strong Memory Model." When one thread updates the session time, other threads (like the background validator) almost always see the update immediately, even without proper synchronization code. On ARM64 processors (AWS Graviton r8g), the hardware uses a "Weak Memory Model." It is much more aggressive about caching variables in local CPU cores. Thread A (User Request): Updates lastAccessTime to 3:23 PM. This value sits in Core 1's cache. Thread B (Background Validator): Wakes up on Core 2. It reads the session's lastAccessTime. Because there is no volatile keyword, it might read a stale value from main memory (e.g., the session creation time from 31 minutes ago). The Crash: Thread B calculates (Now - StaleTime) > 30 mins. It expires the session. The Paradox: When Shiro constructs the error message, it likely triggers a memory refresh or reads the updated object reference, showing you the "Now" time, even though it just killed the session based on the "Old" time. GitHub link: https://github.com/apache/shiro/discussions/2447#discussioncomment-15452290 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
