CODEWITHSUNDEEP
javasessionjettysession-statesession-timeout
Tarlog
Tarlog

Reputation: 10154

Jetty does not remove timed-out session, if the session was replaced in runtime

In the application, we use to switch sessions once the user mode is changed.

So basically we have something like this:

request.getSession(false).invalidate();
request.getSession(true);

Now happens the problem: after timeout, the session is not removed. After debugging some internal code, I found out that in org.eclipse.jetty.server.session.AbstractSession.timeout() the session is not removed if _requests > 0. And the _requests is greater then zero, since in org.eclipse.jetty.server.session.SessionHandler.doScope(String, Request, HttpServletRequest, HttpServletResponse) the complete() runs on the access session is increased and the same session is decreased, even if during the invocation the actual session was replaced!

Did anyone experience the same problem and managed to solve it?

Updated: I created a workaround. See accepted answer below.

Updated: Bug in Jersey Community: https://bugs.eclipse.org/bugs/show_bug.cgi?id=377610

Upvotes: 1

Views: 3195

Answers (1)

Tarlog
Tarlog

Reputation: 10154

I have solved this problem, by overriding the SessionHandler:

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.session.SessionHandler;

public class MySessionHandler extends SessionHandler {

    @Override
    public void doScope(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {

        HttpSession oldSession = request.getSession(false);
        super.doScope(target, baseRequest, request, response);
        HttpSession newSession = request.getSession(false);

        if (newSession != null && oldSession != newSession) {
            getSessionManager().complete(newSession);
        }
    }
}

In the application's context:

<Set name="sessionHandler">
     <New class="*************.MySessionHandler">
     </New>
</Set>

Upvotes: 1

Related Questions