Session destruction bug - Tomcat 3.3-b1.

2001-08-20 Thread Prasanna Uppaladadium 

Hello.

There is a bug related to destroying session objects in Tomcat 3.3.b1.

Bug description


The valueUnbound() method is never called on attributes that are set on
a given session even if the attribute implements the
HttpSessionBindingListener interface.

Hypothesis


A session is abstracted by an instance of the class ServerSession in
package org.apache.tomcat.core. A ServerSession object has with it a set
(an array) of BaseInterceptors. When the ServerSession is timed out, its
setState(int state) method is called. This method iterates over the
array of BaseInterceptors and calls the method sessionState(Request
request, ServerSession session, int state). The order in which the
method is called for the set of registered BaseInterceptors is as
follows:

1.  org.apache.tomcat.modules.config.PathSetter
2. org.apache.tomcat.modules.config.ServerXmlReader
3.  org.apache.tomcat.modules.session.SessionExpirer
4.  org.apache.tomcat.modules.session.SessionIdGenerator
5. org.apache.tomcat.modules.session.SimpleSessionStore
6. org.apache.tomcat.facade.Servlet22Interceptor

The problem arises in the last 2 calls. When the SimpleSessionStore's
sessionState(...) method is called, it recycles the ServerSession object
- the implementation calls the recycle() method on the ServerSession
object. The implementation of recycle() on ServerSession clears all the
registered attributes!

The implementation of sessionState(...) on Servlet22Interceptor attempts
to loop through the set of attributes on the ServerSession object and
calls the valueUnbound() mehod if it finds instances of
HttpSessionBindingListener implementations. However, when the method
gets called, it never finds any attributes on the session [obviously
because they were just removed SimpleSessionStore.setState(...)].

I am not sure if this bug has been fixed - I am pretty sure that the bug
existed in release 3.2.3 of Tomcat as well.

Fix


I am not sure what the correct fix for the bug is. I will leave it to
the experts on this list to sort it out. For the moment, I am commenting
out the call to ServerSession.recycle() in
SimpleSessionStore.sessionState(...). Any pointers to the correct fix
will be appreciated.

Thanks,
Prasanna.

Re: Session destruction bug - Tomcat 3.3-b1.

2001-08-20 Thread cmanolache 

Hi Prasanna,

I'm impressed with the excelent analysis of the bug, I wish more bugs were
reported this way ! I hope you'll stay around and help with other bugs.

The good news - this bug was fixed after 3.3b1 ( it was already in
bugzilla, but without all those details - it took me a while to find the
problem ). If you build from CVS you should have this fixed, please let me
know if you still have problems. ( and of course, I would be happy to hear
about more bugs from you :-)

Costin