[jboss-jira] [JBoss JIRA] (WFLY-11115) bumpTimeout method usage in InMemorySessionManager

Adam Krajcik (Jira) issues at jboss.org
Thu Oct 4 09:19:00 EDT 2018 

     [ https://issues.jboss.org/browse/WFLY-11115?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Adam Krajcik moved UNDERTOW-1420 to WFLY-11115:
-----------------------------------------------

    Project: WildFly  (was: Undertow)
        Key: WFLY-11115  (was: UNDERTOW-1420)


> bumpTimeout method usage in InMemorySessionManager
> --------------------------------------------------
>
>                 Key: WFLY-11115
>                 URL: https://issues.jboss.org/browse/WFLY-11115
>             Project: WildFly
>          Issue Type: Bug
>            Reporter: Adam Krajcik
>            Assignee: Stuart Douglas
>            Priority: Major
>
> Possible bug as mentioned in https://developer.jboss.org/thread/278634. As mentioned in the thread, use of bumpTimeout may cause a session that may never expire.
> From [~jstourac]:
> {quote}
> The list of methods where 'bumpTimeout' is actually used in [InMemorySessionManager|https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/session/InMemorySessionManager.java] to following: createSession(), setMaxInactiveInterval(), getAttribute(), getAttributeNames(), setAttribute(), removeAttribute(). From this list usage in following methods is suspicious: getAttribute(), getAttributeNames(), setAttribute(), removeAttribute().
> All occurrences were added by [this commit|https://github.com/undertow-io/undertow/commit/be768b6cb98c13f02dfd19befe4ebf687f47d84f#diff-d98bd5b5413945d50c03478570716776] with initial session timeout implementation.
> The truth is the [Servlet 4.0, section 7.5|https://javaee.github.io/servlet-spec/downloads/servlet-4.0/servlet-4_0_FINAL.pdf] specification (Servlet 3.1 is almost identical) specifies that timeout depends on user activity only:
> "This means that the only mechanism that can be used to indicate when a client is no longer active is a time out period."
> {quote}
> Response from [~stuartdouglas] from mail:
> {quote}
> We could probably change that to just update the timeout in requestDone().
> {quote}



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the jboss-jira mailing list