[Bug 69781] New: FileStore used with PersistentValve can cause EOFException during session expiration checks and dropped session

Wed, 13 Aug 2025 17:41:13 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=69781

            Bug ID: 69781
           Summary: FileStore used with PersistentValve can cause
                    EOFException during session expiration checks and
                    dropped session
           Product: Tomcat 10
           Version: 10.1.44
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ------

The FileStore save and remove operations if done concurrently with load
attempts are not really thread safe.  The file writes/deletes from save or
remove can lop off the data that a load is attempting to read so that the load
attempt hits an EOFException.  This has been noted when using it combination
with a PersistentValve and PersistentManager:

    <Valve className="org.apache.catalina.valves.PersistentValve" />
    <Manager className="org.apache.catalina.session.PersistentManager"
processExpiresFrequency="1">
        <Store className="org.apache.catalina.session.FileStore" />
    </Manager>

If a FileStore save attempt from the PersistentValve at the end of a request
happens alongside a background processExpires check FileStore load attempt for
the same session, then this can induce an EOFException like below during the
load attempt:

SEVERE [Catalina-utility-1]
org.apache.catalina.session.StoreBase.processExpires Error processing session
expiration for key [3DFF110B8415939F736A5751783ECDA9]
        java.io.EOFException
                at
java.base/java.io.ObjectInputStream$PeekInputStream.readFully(ObjectInputStream.java:2933)
                at
java.base/java.io.ObjectInputStream$BlockDataInputStream.readShort(ObjectInputStream.java:3428)
                at
java.base/java.io.ObjectInputStream.readStreamHeader(ObjectInputStream.java:985)
                at
java.base/java.io.ObjectInputStream.<init>(ObjectInputStream.java:416)
                at
org.apache.catalina.util.CustomObjectInputStream.<init>(CustomObjectInputStream.java:87)
                at
org.apache.catalina.session.StoreBase.getObjectInputStream(StoreBase.java:204)
                at
org.apache.catalina.session.FileStore.load(FileStore.java:200)
                at
org.apache.catalina.session.StoreBase.processExpires(StoreBase.java:138)
                at
org.apache.catalina.session.PersistentManagerBase.processExpires(PersistentManagerBase.java:409)
                at
org.apache.catalina.session.ManagerBase.backgroundProcess(ManagerBase.java:587)
                at
org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:4837)
                at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1172)
                at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1176)
                at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1176)
                at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1154)
                at
java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:572)
                at
java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:358)
                at
java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
                at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
                at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
                at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
                at java.base/java.lang.Thread.run(Thread.java:1583)

That EOFException is then caught and handled at
https://github.com/apache/tomcat/blob/10.1.x/java/org/apache/catalina/session/StoreBase.java#L173
to result in the session being removed and dropped unexpectedly before any
expected expiration.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to