Can you try to find the version which introduced it? Am Fr., 5. März 2021 um 13:57 Uhr schrieb Juri Berlanda < juri.berla...@tuwien.ac.at>:
> Hello, > > we recently upgraded to MyFaces 2.3.8 due to the CSRF vulnerability > reported here late February. We were on 2.3.4 before. Since then we see > an insane amount (i.e. 100000+ per day) of "SessionScope does not exist > within current thread" in our logs, like: > > 15:46:41.421 ERROR > org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/events] > - Session event listener threw exception > javax.enterprise.context.ContextNotActiveException: WebBeans context > with scope type annotation @SessionScoped does not exist within current > thread > at > org.apache.webbeans.container.BeanManagerImpl.getContext(BeanManagerImpl.java:329) > > ~[openwebbeans-impl.jar:2.0.12] > at > org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.getContextualInstance(NormalScopedBeanInterceptorHandler.java:89) > > ~[openwebbeans-impl.jar:2.0.12] > at > org.apache.webbeans.intercept.SessionScopedBeanInterceptorHandler.getContextualInstance(SessionScopedBeanInterceptorHandler.java:76) > > ~[openwebbeans-impl.jar:2.0.12] > at > org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.get(NormalScopedBeanInterceptorHandler.java:71) > > ~[openwebbeans-impl.jar:2.0.12] > at > org.apache.myfaces.cdi.view.ViewScopeBeanHolder$$OwbNormalScopeProxy2.destroyBeans(org/apache/myfaces/cdi/view/ViewScopeBeanHolder.java) > > ~[?:2.3.8] > at > org.apache.myfaces.cdi.impl.CDIManagedBeanHandlerImpl.onSessionDestroyed(CDIManagedBeanHandlerImpl.java:113) > > ~[myfaces-impl.jar:2.3.8] > at > org.apache.myfaces.webapp.ManagedBeanDestroyerListener.sessionDestroyed(ManagedBeanDestroyerListener.java:201) > > ~[myfaces-impl.jar:2.3.8] > at > org.apache.catalina.session.StandardSession.expire(StandardSession.java:801) > > [catalina.jar:9.0.22] > at > org.apache.catalina.session.StandardSession.isValid(StandardSession.java:659) > > [catalina.jar:9.0.22] > at > org.apache.catalina.session.ManagerBase.processExpires(ManagerBase.java:573) > > [catalina.jar:9.0.22] > at > org.apache.catalina.session.ManagerBase.backgroundProcess(ManagerBase.java:558) > > [catalina.jar:9.0.22] > at > org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5536) > > [catalina.jar:9.0.22] > at > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1353) > > [catalina.jar:9.0.22] > at > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357) > > [catalina.jar:9.0.22] > at > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357) > > [catalina.jar:9.0.22] > at > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1335) > > [catalina.jar:9.0.22] > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) > [?:?] > at > java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) [?:?] > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305) > > [?:?] > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) > > [?:?] > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) > > [?:?] > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > > [tomcat-util.jar:9.0.22] > at java.lang.Thread.run(Thread.java:834) [?:?] > > We also upgraded Tomcat to 9.0.46 and OpenWebBeans to 2.0.21 trying to > fix the problem - without success. We are not sure what causes the > issue. We assume it has something to do with expired cookies being sent > to the server, but we are not sure that would sum up to the amount we > see. Also, we can't seem to be able to reproduce it on anything but > production system. > > JSF stack: > > * Tomcat 9.0.46 > * OpenWebBeans 2.0.21 > * MyFaces 2.3.8 > * DeltaSpike 1.9.3 (not sure if relevant) > > Any hint, help, or suggestion on debugging and narrowing down the issue > is very much appreciated. If more information is needed, feel free to > ask. I'm not sure what's relevant, so I don't really know what to add here. > > Cheers, > > Juri > >