[keycloak-dev] ClientSessions may never be removed
Marek Posolda
mposolda at redhat.com
Wed Oct 29 14:26:05 EDT 2014
+1
For mem we seem to be doing it too here:
https://github.com/keycloak/keycloak/blob/master/model/sessions-mem/src/main/java/org/keycloak/models/sessions/mem/MemUserSessionProvider.java#L197
However it looks to me that there is bug in it. It's checking
ClientSessions without associated UserSession (which is ok to me as
those associated with UserSessionModel were cleaned previously), but the
bug is that it's not checking realm. So if realm 'foo' has idleTimeout
30 secs, then it will cleanup all ClientSessions older than 30 seconds,
even from different realms...
Marek
On 29.10.2014 19:03, Stian Thorgersen wrote:
> Looks like it's only Mongo and JPA that's doing this, while both mem and Infinispan are not.
>
> I reckon we just fix it for mem and Infinispan, there's not really any need for two separate methods.
>
> ----- Original Message -----
>> From: "Marek Posolda" <mposolda at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>, "keycloak dev" <keycloak-dev at lists.jboss.org>
>> Sent: Wednesday, 29 October, 2014 5:28:10 PM
>> Subject: Re: [keycloak-dev] ClientSessions may never be removed
>>
>> Right now we are already doing the cleanup of expired ClientSessions in
>> UserSessionProvider.removeExpiredUserSessions() for mem, jpa and mongo
>> providers.
>>
>> So it seems that only one missing is InfinispanUserSessionProvider.
>>
>> Maybe it's better to introduce new method on UserSessionProvider like
>> "removeExpiredClientSessions()" and move the removal of expired client
>> sessions there? Or we can keep as it is and just fix the infinispan
>> provider? Not sure which possibility is better.
>>
>> Marek
>>
>> On 29.10.2014 16:23, Stian Thorgersen wrote:
>>> As new client sessions are initially detached there's a chance they are
>>> never linked to a user session (for example user closes browser when login
>>> page is displayed). These client sessions are never removed. I reckon we
>>> need to have a similar garbage collection of client sessions as we do for
>>> user sessions.
>>>
>>> https://issues.jboss.org/browse/KEYCLOAK-788
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
More information about the keycloak-dev
mailing list