DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16705>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16705 Pending requests can corrupt data of recycled sessions Summary: Pending requests can corrupt data of recycled sessions Product: Tomcat 4 Version: 4.1.12 Platform: Sun OS/Version: Solaris Status: NEW Severity: Critical Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] Sometimes we have problems that one user can see the stored session data of another one. We find out that the recycling of invalidated sessions is unsafe, if there are pending requests. The pending request can write some data in a recycled session, if the associated session of this request were invalidated during the request! Consider the following example. -- first.jsp <% // invalidate a valid session if there is one if(request.getSession(false) != null) { request.getSession().invalidate(); } // get a new session request.getSession(true); // print out the new session id out.write(request.getSession().getId()+"<br>"); out.write("<a href=\"second.jsp\">Go</a>"); %> -- second.jsp <% // do the work only if there is a session if(session != null && !session.isNew()) { // save the old session id String firstId = session.getId(); // print out the old session id out.write(firstId+"<br>"); out.write("<br>"); // this wait of 10 seconds is only to achieve reproducibility System.out.println("start!"); try { synchronized(this) { wait(10000); } } catch(Exception e) { } System.out.println("end!"); // save id in session if there is no one if(session.getAttribute("Id") == null) { session.setAttribute("Id",firstId); } // get the saved id String savedId = (String) session.getAttribute("Id"); // print out the 'actual' session id and the saved session id out.write(session.getId()+"<br>"); out.write(savedId+"<br>"); } else { out.write("Please call <a href=\"first.jsp\">this</a> first!"); } %> To reproduce the bug do the following: 1. Call first.jsp - You will get a new session. 2. Call second.jsp. 3. Wait if "start!" is logged on the Tomcat console. 4. Break up the request to second.jsp in your browser. 5. Call first.jsp again - The old session will invalidate and you will get a new session again. 6. Call second.jsp again. 7. In the response the last two printed ids differs! --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
