Hello.
There is a bug related to destroying session objects in Tomcat 3.3.b1.
Bug description
----------------
The valueUnbound() method is never called on attributes that are set on
a given session even if the attribute implements the
HttpSessionBindingListener interface.
Hypothesis
------------
A session is abstracted by an instance of the class ServerSession in
package org.apache.tomcat.core. A ServerSession object has with it a set
(an array) of BaseInterceptors. When the ServerSession is timed out, its
setState(int state) method is called. This method iterates over the
array of BaseInterceptors and calls the method sessionState(Request
request, ServerSession session, int state). The order in which the
method is called for the set of registered BaseInterceptors is as
follows:
1. org.apache.tomcat.modules.config.PathSetter
2. org.apache.tomcat.modules.config.ServerXmlReader
3. org.apache.tomcat.modules.session.SessionExpirer
4. org.apache.tomcat.modules.session.SessionIdGenerator
5. org.apache.tomcat.modules.session.SimpleSessionStore
6. org.apache.tomcat.facade.Servlet22Interceptor
The problem arises in the last 2 calls. When the SimpleSessionStore's
sessionState(...) method is called, it recycles the ServerSession object
- the implementation calls the recycle() method on the ServerSession
object. The implementation of recycle() on ServerSession clears all the
registered attributes!
The implementation of sessionState(...) on Servlet22Interceptor attempts
to loop through the set of attributes on the ServerSession object and
calls the valueUnbound() mehod if it finds instances of
HttpSessionBindingListener implementations. However, when the method
gets called, it never finds any attributes on the session [obviously
because they were just removed SimpleSessionStore.setState(...)].
I am not sure if this bug has been fixed - I am pretty sure that the bug
existed in release 3.2.3 of Tomcat as well.
Fix
----
I am not sure what the "correct" fix for the bug is. I will leave it to
the experts on this list to sort it out. For the moment, I am commenting
out the call to ServerSession.recycle() in
SimpleSessionStore.sessionState(...). Any pointers to the correct fix
will be appreciated.
Thanks,
Prasanna.
