]
Marek Kopecky commented on WFLY-11115:
--------------------------------------
[~swd847] It seems that this issue is fixed in WF20 by UNDERTOW-1419 and can be resolved
now. (cc [~manovotn])
bumpTimeout method usage in InMemorySessionManager
--------------------------------------------------
Key: WFLY-11115
URL:
https://issues.redhat.com/browse/WFLY-11115
Project: WildFly
Issue Type: Bug
Components: Web (Undertow)
Affects Versions: 14.0.1.Final, 15.0.0.Beta1
Reporter: Adam Krajcik
Assignee: Stuart Douglas
Priority: Major
Possible bug as mentioned in
https://developer.jboss.org/thread/278634. As mentioned in
the thread, use of bumpTimeout may cause a session that may never expire.
From [~jstourac]:
{quote}
The list of methods where 'bumpTimeout' is actually used in
[
InMemorySessionManager|https://github.com/undertow-io/undertow/blob/maste...]
to following: createSession(), setMaxInactiveInterval(), getAttribute(),
getAttributeNames(), setAttribute(), removeAttribute(). From this list usage in following
methods is suspicious: getAttribute(), getAttributeNames(), setAttribute(),
removeAttribute().
All occurrences were added by [this
commit|https://github.com/undertow-io/undertow/commit/be768b6cb98c13f02df...]
with initial session timeout implementation.
The truth is the [Servlet 4.0, section
7.5|https://javaee.github.io/servlet-spec/downloads/servlet-4.0/servlet-4_0_FINAL.pdf]
specification (Servlet 3.1 is almost identical) specifies that timeout depends on user
activity only:
"This means that the only mechanism that can be used to indicate when a client is no
longer active is a time out period."
{quote}
Response from [~stuartdouglas] from mail:
{quote}
We could probably change that to just update the timeout in requestDone().
{quote}