Which version of owb are you using? 1.2.x or 1.5.x snapshot? I might totally rework all our session handling in the current trunk. We will ship a release in the next few weeks.
LieGrue, strub > Am 06.03.2015 um 13:42 schrieb Sebastian Gebhardt > <[email protected]>: > > Hi Mark! > > I added the WebBeansConfigurationListener to the web.xml and also use the > openwebbeans-tomcat7 plugin. The tomcat parameter > changeSessionIdOnAuthentication is not explicitly changed, so the default > value true should be active. > > My starting point was a heap dump resulting from an OutOfMemoryError of the > application. Inspecting the dump, I noticed the sessionContexts Map of the > SessionContextManager. The map was about 2,5 GB. > During my debugging sessions I detected two > WebBeansConfigurationListener.sessionCreated() > calls for a login. The second call only creates a copy of the first one > (attributes are the same of the first session). But I never expected a > WebBeansConfigurationListener.sessionDestroyed() call for the first session. > > > > Thanks > > > Am 06.03.2015 um 13:19 schrieb Mark Struberg: >> Hi Sebastian! >> >> I think it should all work out of the box. How did you setup OWB in tomcat? >> Are you using the webbeans-tomcat7 + context.xml or are you simply adding >> the WebBeansConfigurationListener in your web.xml? >> >> In any case, please debug into >> WebBeansConfigurationListener#sessionDestroyed(). >> (You can also debug into sessionCreated() to be sure the listener is >> properly registered). >> >> This is a standard HttpSessionListener and must get invoked by the container. >> >> >> What tomcat feature do you use to force a new sessionId? >> changeSessionIdOnAuthentication ? >> Maybe we need to add support for those or provide a better mapping. >> >> If you give me a few hints how your application looks like in regards to >> session handling then I’ll investigate it. >> We are short before a release anyway. >> >> LieGrue, >> strub >> >> >>> Am 06.03.2015 um 12:54 schrieb Sebastian Gebhardt >>> <[email protected]>: >>> >>> Hello! >>> >>> My application uses owb and runs in a tomcat 7. The user are authenticated >>> by the container. >>> During the authentication the session id changes (to prevent session >>> fixation attacks). This leads to a second call to >>> SessionContextManager.addNewSessionContext(). But the SessionContext >>> created in the first call is never destroyed/removed. So the >>> SessionContextManager's map of session contexts grows. Finally this leads >>> to an OutOfMemoryException. >>> Is there something I have misconfigured? >>> >>> >>> Thanks! >> > > -- > Sebastian Gebhardt > Email: [email protected] > PGP-Public Key: http://www.bfeater.de/bfeater_pubkey.asc
