• Bug
  • Status: Resolved
  • 2 Major
  • Resolution: Won't Fix
  • Sessions
  • teck
  • Reporter: shortmem
  • February 25, 2013
  • 0
  • Watchers: 2
  • September 06, 2013
  • September 06, 2013

Description

Some sessions cannot be expired from dev-console.

Even though there is an id associated with them, they are empty (have no attributes) and attempts to expire them via dev-console have no effect neither via “expire all” or “expire single”.

Some applications may create many short lived sessions (for example if using spring security with session fixation protection/concurrent login control) which *eventually* are not being invalidated.

It seems that the session store used by TerracottaSessionManager is keeping references to session ids without any data associated with it.

Maybe forcing the removal of such id’s might solve the problem:

private boolean expire(SessionId id) { boolean result = false; SessionData sd = null; boolean locked = false; try { sd = this.store.find(id); if (sd != null) { if (!isSessionLockingEnabled()) { id.getWriteLock(); } locked = true; expire(id, sd); result = true; }else{ //FORCE REMOVE this.store.remove(id); } } finally { if ((sd != null) && (locked)) { id.commitWriteLock(); } } return result; }

Comments

Cleber Muramoto 2013-02-25

For more details: http://forums.terracotta.org/forums/posts/list/8005.page#38542

Tim Eck 2013-09-06

this same issue likely doesn’t exist in the new session implementation present in 4.0.1+