[ICE-8833] Session leak in SessionMonitors - ICEsoft JIRA Issue Tracker

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: EE-1.8.2.GA_P05
Fix Version/s: EE-1.8.2.GA_P06
Component/s: None
Labels:
None
Environment:
icefaces-1.8.2 revision 32630 from trunk, tomcat 6.0.32, jdk 1.6_027

Assignee Priority:
P2

Description

SessionDispatcher do not remove invalidated sessions from Map.
In worst case users notice thousands of unused session objects (some old Jira issues I saw here).
I attached file SessionDispatcher.java with additional logger messages.

Test case.
Prepare app with form-login for basic authentication and logout button.
If you logon and logout few times 'Session Monitor session count' grows and many 'session already invalidated' messages occurs every 10 seconds..

The main reason is line:
iterator = new ArrayList(SessionMonitors.values()).iterator();
Session cleaner do not clean correct list.
After change to
iterator = SessionMonitors.values().iterator();
everything seems to be ok and sessions are removed.

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Download All

Attachments

SessionDispatcher.java

02/Jan/13 8:14 PM

21 kB

Krashan Brahmanjara
SessionDispatcher.java

16/Dec/12 9:55 PM

20 kB

Krashan Brahmanjara
SessionDispatcher.java

14/Dec/12 11:11 PM

20 kB

Krashan Brahmanjara
sessionerrors.txt

02/Jan/13 8:13 PM

4 kB

Krashan Brahmanjara
sessionlog.txt

14/Dec/12 11:12 PM

2 kB

Krashan Brahmanjara
sessionlog2.txt

14/Dec/12 11:25 PM

3 kB

Krashan Brahmanjara
sessionlog3.txt

16/Dec/12 9:59 PM

3 kB

Krashan Brahmanjara
web.xml

04/Jan/13 7:43 PM

11 kB

Krashan Brahmanjara

sessionproblems.PNG

85 kB

16/Dec/12 10:15 PM

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Krashan Brahmanjara added a comment - 14/Dec/12 11:11 PM

Patched SessionDispatcher.

Show

Krashan Brahmanjara added a comment - 14/Dec/12 11:11 PM Patched SessionDispatcher.

13 older comments

Hide

Permalink

Krashan Brahmanjara added a comment - 02/Jan/13 8:14 PM - edited

Added SessionDispatched.java with 'key' fix and Mircea Toma last changes

Show

Krashan Brahmanjara added a comment - 02/Jan/13 8:14 PM - edited Added SessionDispatched.java with 'key' fix and Mircea Toma last changes

Hide

Permalink

Deryk Sinotte added a comment - 03/Jan/13 9:41 PM

Please review last comments to ensure our fix is valid and complete.

Show

Deryk Sinotte added a comment - 03/Jan/13 9:41 PM Please review last comments to ensure our fix is valid and complete.

Hide

Permalink

Krashan Brahmanjara added a comment - 04/Jan/13 7:43 PM - edited

Last three post was verified with complex application based of last Icefaces 1.8 from trunk. My web.xml in attachment.
I took clean copy of SessionDispatcher and merged it with my logger messages.
After this I still saw SessionMonitor items with key not equal to sessionId and they can never be removed from the map (even after invalidation by Tomcat engine like in sessionerrors.txt).
My additional patch was necessary to pass performance and memory leaks tests

Show

Krashan Brahmanjara added a comment - 04/Jan/13 7:43 PM - edited Last three post was verified with complex application based of last Icefaces 1.8 from trunk. My web.xml in attachment. I took clean copy of SessionDispatcher and merged it with my logger messages. After this I still saw SessionMonitor items with key not equal to sessionId and they can never be removed from the map (even after invalidation by Tomcat engine like in sessionerrors.txt). My additional patch was necessary to pass performance and memory leaks tests

Hide

Permalink

Mircea Toma added a comment - 24/Jan/13 1:09 PM

Applied (slightly modified) patch provided by Krashan. The fix modifies Monitor class to removes itself from the list of running monitors when invalidating an expired session. Also, changed getId() to a static method so that it can be used in all the places where the session ID is required.

The fix was tested in following scenarios:
A) natural session expiry
B) invalidated after accessing the app through a login form
C) application redeploy while session still valid
D) waking up the machine, after being put to sleep while the session still valid

In all the cases there were no SessionMonitor instances being left in the list of session monitors.

Show

Mircea Toma added a comment - 24/Jan/13 1:09 PM Applied (slightly modified) patch provided by Krashan. The fix modifies Monitor class to removes itself from the list of running monitors when invalidating an expired session. Also, changed getId() to a static method so that it can be used in all the places where the session ID is required. The fix was tested in following scenarios: A) natural session expiry B) invalidated after accessing the app through a login form C) application redeploy while session still valid D) waking up the machine, after being put to sleep while the session still valid In all the cases there were no SessionMonitor instances being left in the list of session monitors.

Hide

Permalink

Krashan Brahmanjara added a comment - 11/Feb/13 1:53 PM

Improved version works perfectly.

Show

Krashan Brahmanjara added a comment - 11/Feb/13 1:53 PM Improved version works perfectly.

People

Assignee:

Mircea Toma

Reporter:

Krashan Brahmanjara

Votes:

0 Vote for this issue

Watchers:

4 Start watching this issue

Dates

Created:

14/Dec/12 11:09 PM

Updated:

14/Nov/14 5:42 PM

Resolved:

24/Jan/13 1:09 PM