Emond Papegaaij commented on Bug WELD-1607

We've finally managed to trigger the problem with increased logging. The relevant part of the stacktrace is:

[2014-04-29 20:01:09,946] [DEBUG] [ajp-bio-8009-exec-38] Servlet | Catching
java.lang.IllegalStateException: getAttribute: Session already invalidated
        at org.apache.catalina.session.StandardSession.getAttribute(StandardSession.java:1165)
        at org.apache.catalina.session.StandardSessionFacade.getAttribute(StandardSessionFacade.java:122)
        at org.jboss.weld.context.http.HttpConversationContextImpl.getSessionAttribute(HttpConversationContextImpl.java:29)
        at org.jboss.weld.context.http.HttpConversationContextImpl.getSessionAttribute(HttpConversationContextImpl.java:13)
        at org.jboss.weld.context.AbstractConversationContext.copyConversationIdGeneratorAndConversationsToSession(AbstractConversationContext.java:180)
        at org.jboss.weld.context.AbstractConversationContext.dissociate(AbstractConversationContext.java:160)

Other logging shows that 2 requests were sharing the same httpsession, even though these requests are WS-requests, which do not use bound sessions. At the moment we can only conclude it is caused by this race condition in the old version of Tomcat: https://issues.apache.org/bugzilla/show_bug.cgi?id=55521 . We've instructed our administrators to update Tomcat, which they did not find necessary before, even though the outdated version is remotely exploitable and vulnerable to several DOS-attacks. I'll report back when I have confirmation that this issue is indeed solved by upgrading Tomcat (which can take some time, because it is only triggered once every few days).

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira