[keycloak-dev] ClientSessions may never be removed

Stian Thorgersen stian at redhat.com
Wed Oct 29 14:29:11 EDT 2014



----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> Sent: Wednesday, 29 October, 2014 7:26:05 PM
> Subject: Re: [keycloak-dev] ClientSessions may never be removed
> 
> +1
> 
> For mem we seem to be doing it too here:
> https://github.com/keycloak/keycloak/blob/master/model/sessions-mem/src/main/java/org/keycloak/models/sessions/mem/MemUserSessionProvider.java#L197
> 
> However it looks to me that there is bug in it. It's checking
> ClientSessions without associated UserSession (which is ok to me as
> those associated with UserSessionModel were cleaned previously), but the
> bug is that it's not checking realm. So if realm 'foo' has idleTimeout
> 30 secs, then it will cleanup all ClientSessions older than 30 seconds,
> even from different realms...

You're right, I miss-read the code ;)

> 
> Marek
> 
> On 29.10.2014 19:03, Stian Thorgersen wrote:
> > Looks like it's only Mongo and JPA that's doing this, while both mem and
> > Infinispan are not.
> >
> > I reckon we just fix it for mem and Infinispan, there's not really any need
> > for two separate methods.
> >
> > ----- Original Message -----
> >> From: "Marek Posolda" <mposolda at redhat.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>, "keycloak dev"
> >> <keycloak-dev at lists.jboss.org>
> >> Sent: Wednesday, 29 October, 2014 5:28:10 PM
> >> Subject: Re: [keycloak-dev] ClientSessions may never be removed
> >>
> >> Right now we are already doing the cleanup of expired ClientSessions in
> >> UserSessionProvider.removeExpiredUserSessions() for mem, jpa and mongo
> >> providers.
> >>
> >> So it seems that only one missing is InfinispanUserSessionProvider.
> >>
> >> Maybe it's better to introduce new method on UserSessionProvider like
> >> "removeExpiredClientSessions()" and move the removal of expired client
> >> sessions there? Or we can keep as it is and just fix the infinispan
> >> provider? Not sure which possibility is better.
> >>
> >> Marek
> >>
> >> On 29.10.2014 16:23, Stian Thorgersen wrote:
> >>> As new client sessions are initially detached there's a chance they are
> >>> never linked to a user session (for example user closes browser when
> >>> login
> >>> page is displayed). These client sessions are never removed. I reckon we
> >>> need to have a similar garbage collection of client sessions as we do for
> >>> user sessions.
> >>>
> >>> https://issues.jboss.org/browse/KEYCLOAK-788
> >>> _______________________________________________
> >>> keycloak-dev mailing list
> >>> keycloak-dev at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> 
> 


More information about the keycloak-dev mailing list