0036364: Http Sessions are registered in SessionListener with wrong session id, stateless requests should not be registered

Anonymous | Login

Project:

News | My View | View Issues | Roadmap | Summary

View Revisions: Issue #36364		[ All Revisions ] [ Back to Issue ]
Summary	0036364: Http Sessions are registered in SessionListener with wrong session id, stateless requests should not be registered

Revision	2017-06-29 11:27 by mtaal
Description	The main issue is related to the fact that all logins, even stateless ones, are registering a record in the SessionListener [1] with the wrong session id. When the BaseWebService is authenticating it calls the createDBSession which creates a SessionLogin. When the SessionLogin is saved (AuthenticationManager.createDBSession line 476) it adds its key to the SessionListener. This session is never destroyed so it is never removed from the sessionInContext set of SessionListener. When tomcat stops this Set is iterated printing the info. The second related issue is that the key stored in the sessionsInContext is not the real ad_session_id created in the database. So the updates to deactivate the sessions never update any record. :( You can check this in the SessionLogin.save(). A random key is generated and set in the SessionListner, but later the AD_Session is created but this key is not set so a different uuid is created in database. The good thing. Is that the ad_sessions that are created in the Stateless WebService calls are created with the session_active flag to false. So they are not required to deactivate them when tomcat is stopped. So 2 issues to fix: 1. The ad_session_id stored in SessionListener.sessionsInContext set is not the real ad_session_id created in database. 2. The ad_session records created in stateless request are already created with the session_active to false so they shouldn't be added to the session listener at all. [1] https://code.openbravo.com/erp/devel/pi/file/3f6b96e0cba9/src/org/openbravo/erpCommon/security/SessionLogin.java#l118 [^]

Revision	2017-06-29 11:26 by mtaal
Description	The main issue is related to the fact that all logins, even stateless ones, are registering a record in the SessionListener [1]. When the BaseWebService is authenticating it calls the createDBSession which creates a SessionLogin. When the SessionLogin is saved (AuthenticationManager.createDBSession line 476) it adds its key to the SessionListener. This session is never destroyed so it is never removed from the sessionInContext set of SessionListener. When tomcat stops this Set is iterated printing the info. The second related issue is that the key stored in the sessionsInContext is not the real ad_session_id created in the database. So the updates to deactivate the sessions never update any record. :( You can check this in the SessionLogin.save(). A random key is generated and set in the SessionListner, but later the AD_Session is created but this key is not set so a different uuid is created in database. The good thing. Is that the ad_sessions that are created in the Stateless WebService calls are created with the session_active flag to false. So they are not required to deactivate them when tomcat is stopped. So 2 issues to fix: 1. The ad_session_id stored in SessionListener.sessionsInContext set is not the real ad_session_id created in database. 2. The ad_session records created in stateless request are already created with the session_active to false so they shouldn't be added to the session listener at all. [1] https://code.openbravo.com/erp/devel/pi/file/3f6b96e0cba9/src/org/openbravo/erpCommon/security/SessionLogin.java#l118 [^]