[jetty-dev] Jetty session expiration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-dev] Jetty session expiration

From: Marc Klinger <mklinger@xxxxxxxxxxxx>
Date: Tue, 03 Apr 2012 15:13:55 +0200
Delivered-to: jetty-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-dev>
List-help: <mailto:jetty-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20120310 Thunderbird/11.0

Hi,

I experience problems with Jetty sessions expiring too early. I docross-context-dispatching. Every context gets an own session object fromJetty but is sharing the same session id (JSESSIONID cookie). Then, whenthe first session object times out, all session objects using the samesession id are invalidated.

I assume this also to happen in a "normal" webapp environment (withoutcross-context-dispatching) with a root application (context path "/")and another application (e.g. context path "/foobar"). Both applicationsuse the same session id but different session objects. The session thattimes out first will destroy all other sessions with the same id.

I am using Jetty 8, but the same problem is already described for Jetty6 here:http://jetty.4.n6.nabble.com/incorrect-session-invalidation-td35263.html

The root cause of the problem is the AbstractSession.invalidate() methodwhich calls AbstractSessionManager.removeSession(this,true). This may bethe desired behavior when calling HttpSession.invalidate() from within aweb application.

However, session timeouts should be handled differently. I would expectthe session access time to be "synchronized" between sessions with thesame id in some way (which would result in the shortest session timeoutto win) or only to invalidate sessions when all sessions with the sameid are ready to be invalidated (which would result in the longestsession timeout to win).

The same problem appears when a context gets stopped. All sessions ofthis context get invalidated which also invalidates all sessions withthe same ids from other contexts. This may prevent persisting sessionscorrectly (it depends on the order in which the contexts are stopped).Hot-deployment of contexts destroys the session of all other contextswith the same session ids.

What do you think about this problem? Should I open a bug for this? I amwilling to contribute code if one of the solutions described above wouldbe acceptable or someone can point me to a better solution.


Regards,
Marc

Follow-Ups:
- Re: [jetty-dev] Jetty session expiration
  - From: Jan Bartel

Prev by Date: Re: [jetty-dev] Unregistering OSGi web bundles when they are stoped in the framwork
Next by Date: Re: [jetty-dev] Jetty session expiration
Previous by thread: [jetty-dev] Unregistering OSGi web bundles when they are stoped in the framwork
Next by thread: Re: [jetty-dev] Jetty session expiration
Index(es):
- Date
- Thread

Breadcrumbs