>From the phone - so sorry to be too concise - but in tomee we had this issue and used update session id feature to fix it Le 7 mars 2015 11:47, "Mark Struberg" <[email protected]> a écrit :
> Which version of owb are you using? 1.2.x or 1.5.x snapshot? > I might totally rework all our session handling in the current trunk. > We will ship a release in the next few weeks. > > LieGrue, > strub > > > > Am 06.03.2015 um 13:42 schrieb Sebastian Gebhardt < > [email protected]>: > > > > Hi Mark! > > > > I added the WebBeansConfigurationListener to the web.xml and also use > the openwebbeans-tomcat7 plugin. The tomcat parameter > changeSessionIdOnAuthentication is not explicitly changed, so the default > value true should be active. > > > > My starting point was a heap dump resulting from an OutOfMemoryError of > the application. Inspecting the dump, I noticed the sessionContexts Map of > the SessionContextManager. The map was about 2,5 GB. > > During my debugging sessions I detected two > WebBeansConfigurationListener.sessionCreated() > > calls for a login. The second call only creates a copy of the first one > (attributes are the same of the first session). But I never expected a > WebBeansConfigurationListener.sessionDestroyed() call for the first session. > > > > > > > > Thanks > > > > > > Am 06.03.2015 um 13:19 schrieb Mark Struberg: > >> Hi Sebastian! > >> > >> I think it should all work out of the box. How did you setup OWB in > tomcat? > >> Are you using the webbeans-tomcat7 + context.xml or are you simply > adding the WebBeansConfigurationListener in your web.xml? > >> > >> In any case, please debug into > WebBeansConfigurationListener#sessionDestroyed(). > >> (You can also debug into sessionCreated() to be sure the listener is > properly registered). > >> > >> This is a standard HttpSessionListener and must get invoked by the > container. > >> > >> > >> What tomcat feature do you use to force a new sessionId? > changeSessionIdOnAuthentication ? > >> Maybe we need to add support for those or provide a better mapping. > >> > >> If you give me a few hints how your application looks like in regards > to session handling then I’ll investigate it. > >> We are short before a release anyway. > >> > >> LieGrue, > >> strub > >> > >> > >>> Am 06.03.2015 um 12:54 schrieb Sebastian Gebhardt < > [email protected]>: > >>> > >>> Hello! > >>> > >>> My application uses owb and runs in a tomcat 7. The user are > authenticated by the container. > >>> During the authentication the session id changes (to prevent session > fixation attacks). This leads to a second call to > SessionContextManager.addNewSessionContext(). But the SessionContext > created in the first call is never destroyed/removed. So the > SessionContextManager's map of session contexts grows. Finally this leads > to an OutOfMemoryException. > >>> Is there something I have misconfigured? > >>> > >>> > >>> Thanks! > >> > > > > -- > > Sebastian Gebhardt > > Email: [email protected] > > PGP-Public Key: http://www.bfeater.de/bfeater_pubkey.asc > >
