Tomcat 7.0.54 - Session invalidate broken in some apps
I've found that certain applications will no longer invalidate sessions after upgrading from 7.0.53 to 7.0.54. It seems to require clustering to be set up in Tomcat. If it's not set up, session invalidation works fine. So far, I can only trigger it in a webapp that uses Tapestry Spring Security. I see a few changes in the changelog related to session invalidate and clustering, could one of these changes be responsible? Anyone else see the same issue? -Dave - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7.0.54 - Session invalidate broken in some apps
2014-05-29 11:58 GMT+04:00 David Rees dree...@gmail.com: I've found that certain applications will no longer invalidate sessions after upgrading from 7.0.53 to 7.0.54. It seems to require clustering to be set up in Tomcat. If it's not set up, session invalidation works fine. So far, I can only trigger it in a webapp that uses Tapestry Spring Security. I see a few changes in the changelog related to session invalidate and clustering, could one of these changes be responsible? What are the symptoms? Is there anything unusual in the log files? Is a single web application affected, or it spans several applications (via Single Sign On)? You may consider debugging. http://wiki.apache.org/tomcat/FAQ/Developing#Debugging You may consider simplifying you configuration to build a simple reproduce scenario for a bug report. Anyone else see the same issue? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7.0.54 - Session invalidate broken in some apps
On Thu, May 29, 2014 at 8:51 AM, Konstantin Kolinko knst.koli...@gmail.com wrote: 2014-05-29 11:58 GMT+04:00 David Rees dree...@gmail.com: I've found that certain applications will no longer invalidate sessions after upgrading from 7.0.53 to 7.0.54. It seems to require clustering to be set up in Tomcat. If it's not set up, session invalidation works fine. So far, I can only trigger it in a webapp that uses Tapestry Spring Security. I see a few changes in the changelog related to session invalidate and clustering, could one of these changes be responsible? What are the symptoms? The symptoms are that you expect the current session to be invalidated and issued a new session on subsequent requests, but instead the session remains valid and all data in the session remains. Is there anything unusual in the log files? Nothing in the logs as far as I can tell. Is a single web application affected, or it spans several applications (via Single Sign On)? Only a single web application affected. You may consider debugging. http://wiki.apache.org/tomcat/FAQ/Developing#Debugging You may consider simplifying you configuration to build a simple reproduce scenario for a bug report. Yes, those are my next steps, just haven't gotten that far yet and wanted to see if anyone else was seeing anything similar. Thanks Dave - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7.0.54 - Session invalidate broken in some apps
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 David, On 5/29/14, 3:12 PM, David Rees wrote: On Thu, May 29, 2014 at 8:51 AM, Konstantin Kolinko knst.koli...@gmail.com wrote: 2014-05-29 11:58 GMT+04:00 David Rees dree...@gmail.com: I've found that certain applications will no longer invalidate sessions after upgrading from 7.0.53 to 7.0.54. It seems to require clustering to be set up in Tomcat. If it's not set up, session invalidation works fine. So far, I can only trigger it in a webapp that uses Tapestry Spring Security. I see a few changes in the changelog related to session invalidate and clustering, could one of these changes be responsible? What are the symptoms? The symptoms are that you expect the current session to be invalidated and issued a new session on subsequent requests, but instead the session remains valid and all data in the session remains. Do you mean that you have a web application that does this: session.invalidate(); session = request.getSession(true); ... and the old session is in fact not invalidated? Is there anything unusual in the log files? Nothing in the logs as far as I can tell. Is a single web application affected, or it spans several applications (via Single Sign On)? Only a single web application affected. You may consider debugging. http://wiki.apache.org/tomcat/FAQ/Developing#Debugging You may consider simplifying you configuration to build a simple reproduce scenario for a bug report. Yes, those are my next steps, just haven't gotten that far yet and wanted to see if anyone else was seeing anything similar. Please demonstrate that the session is in fact not validated. Given your description, if this is really happening, it should be trivial to create a test-case. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTh4eHAAoJEBzwKT+lPKRYaggP/1+ImY4rFsro1aA0Rc6LeTWE SV0wm/Ic7Elux15nr9wWFHDPi1k6RhpLp1TcI9RS8dpw0sXMjMjg2iMjZQn2+ETe 7gr3nI8vnzz6lYcnPmI9ckC0nOXB5J/1UcdE7M8P/tmKmYhZBXX1PdvIx5mwkowH YojmXzmtt8GfFAfuux0xv5RgcfpXbz9VmjSmfZxD6zlIuoa0pxkYHgNGKsFatMYd vK8yDUsBd+yOHRFMev6iO1XrePNRa8xOtwfKYeDQQ/kQNB1pqW0tQ2jJ1+NSMbVc WWM1SgS44NFatrQgUqX0uMKM2q8Jx57CnSlXGrk0yIiGMcOp+egXt1i8XTSdY92f gxHbwfkmz7U/dGztnjQxSAjerNFGFS8puaCHW6Ot5EThT9MQDytYkhwcFAqK3Zmg R1zqPj+MYQb8IBDQ1HaV57d0xhLFErriCPShsb9dH9Hubo77DOPUc3TkdLJJ9f4C eq+dyCO/Rt4JQEu5myWJsQAczZoZoFQYm3QOhaTNMxq/KzQ5ZDcfwmIpF4J8wWtM 0SFoqTYVQAFCYUHBNDgro+F3TpA55dwhTofOk3h4DcmDPAXucq7aq2cs5+FIiQS3 7MHDkDPPQr4gI+mGVPIZRGrUbpQ54+EhNUYga722knkaxDzkP9UxW5kix63bEDck Pdbe3wXdaaO3ZRms0kGf =/iQW -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7.0.54 - Session invalidate broken in some apps
On Thu, May 29, 2014 at 12:16 PM, Christopher Schultz ch...@christopherschultz.net wrote: Do you mean that you have a web application that does this: session.invalidate(); session = request.getSession(true); ... and the old session is in fact not invalidated? Yes. Specifics to make this happen seem to be: TC 7.0.54 in a cluster, Tapestry 5.2.6 + Tapestry Spring Security. 7.0.53 is OK. 7.0.54 standalone is OK Tapestry App without spring security is OK. Plain old servlet apps work fine. Please demonstrate that the session is in fact not validated. Given your description, if this is really happening, it should be trivial to create a test-case. Yes, just haven't had the time yet. -Dave - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7.0.54 - Session invalidate broken in some apps
On Thu, May 29, 2014 at 12:39 PM, David Rees dree...@gmail.com wrote: Yes. Specifics to make this happen seem to be: TC 7.0.54 in a cluster, Tapestry 5.2.6 + Tapestry Spring Security. OK, I was wrong, no Tapestry or Spring Security is required, just a couple JSPs are required to reproduce. Key is that clustering needs to be enabled. Drop these two JSP files into your 7.0.54 cluster enabled web app. /** session.jsp **/ %@page session=true% html body table trtdSession creation time:/tdtd%= session.getCreationTime() %/td/tr trtdSession last accessed:/tdtd%= session.getLastAccessedTime() %/td/tr trtdCurrent time:/tdtd%= System.currentTimeMillis() %/td/tr trtdIs Session Id from URL?:/tdtd%= request.isRequestedSessionIdFromURL() %/td/tr trtda href=session.jspReload Page/a/tdtda href=invalidate.jspInvalidate/a/td/tr /table /body /html /** invalidate.jsp **/ % request.getSession().invalidate(); response.sendRedirect(session.jsp); % Make sure Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster/ is added to the Host of the webapp you dropped the files above into. Clicking on Reload Page will show the same creation time. On a 7.0.53 if you click on Invalidate, you will get a new creation time. On 7.0.54, you do not. I'll open a ticket with these details, too. -Dave - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7.0.54 - Session invalidate broken in some apps
On Thu, May 29, 2014 at 6:16 PM, David Rees dree...@gmail.com wrote: I'll open a ticket with these details, too. https://issues.apache.org/bugzilla/show_bug.cgi?id=56578 -Dave - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
