DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17591>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17591 JDBCStore is not thread safe (sessions lost) Summary: JDBCStore is not thread safe (sessions lost) Product: Tomcat 4 Version: 4.1.18 Platform: All OS/Version: All Status: NEW Severity: Critical Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] The methods load, etc. in JDBCStore are not thread safe. But they are called by more than one thread simultanious. This gives a race condition with PreparedStatement, which can lead to sessions going to the wrong browser. I send a mail to [EMAIL PROTECTED], who forwarded it to the tomcat developers about two weeks ago, but I haven't seen a change in the CVS about this yet. In our webapp we've seen more than ones, that users got somebody elses session after a reload of the webapp in which all the sessions get saved to and loaded from the database. The use of the Statements is also not always correct. ResultSets are closed before all the data of the ResultSet is used. Example: in = BufferedInputStream(resultset.getBinaryStream("bla")); resultset.close(); in.read(...); I think this is also not thread safe. And wil succeed with small sessions, but fails if the serialized session is large. I wil submit an untested patch for JDBCStore.load(). --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]