DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17591>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17591

JDBCStore is not thread safe (sessions lost)

           Summary: JDBCStore is not thread safe (sessions lost)
           Product: Tomcat 4
           Version: 4.1.18
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Critical
          Priority: Other
         Component: Catalina
        AssignedTo: [EMAIL PROTECTED]
        ReportedBy: [EMAIL PROTECTED]


The methods load, etc. in JDBCStore are not thread safe.


But they are called by more than one thread simultanious.


This gives a race condition with PreparedStatement, which can lead to sessions 
going to the wrong browser.


I send a mail to [EMAIL PROTECTED], who forwarded it to the tomcat developers 
about two weeks ago, but I haven't seen a change in the CVS about this yet.


In our webapp we've seen more than ones, that users got somebody elses session 
after a reload of the webapp in which all the sessions get saved to and loaded 
from the database.




The use of the Statements is also not always correct.


ResultSets are closed before all the data of the ResultSet is used.


Example:


in = BufferedInputStream(resultset.getBinaryStream("bla"));


resultset.close();


in.read(...);




I think this is also not thread safe. And wil succeed with small sessions, but 
fails if the serialized session is large.




I wil submit an untested patch for JDBCStore.load().

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to