0036364: Http Sessions are registered in SessionListener with wrong session id, stateless requests should not be registered

Openbravo Issue Tracking System - Openbravo ERP

View Issue Details

Project

Category

View Status

Date Submitted

Last Update

0036364

Openbravo ERP

A. Platform

public

2017-06-27 22:33

2017-07-03 10:11

Reporter

mtaal

Assigned To

mtaal

Priority

normal

Severity

minor

Reproducibility

have not tried

Status

closed

Resolution

fixed

Platform

OS Version

Product Version

Target Version

3.0PR17Q3

Fixed in Version

3.0PR17Q3

Merge Request Status

Review Assigned To

AugustoMauch

OBNetwork customer

Web browser

Modules

Core

Support ticket

Regression level

Regression date

Regression introduced in release

Regression introduced by commit

Triggers an Emergency Pack

Summary

0036364: Http Sessions are registered in SessionListener with wrong session id, stateless requests should not be registered

Description

The main issue is related to the fact that all logins, even stateless ones, are registering a record in the SessionListener [1] with the wrong session id.

When the BaseWebService is authenticating it calls the createDBSession which creates a SessionLogin. When the SessionLogin is saved (AuthenticationManager.createDBSession line 476) it adds its key to the SessionListener. This session is never destroyed so it is never removed from the sessionInContext set of SessionListener. When tomcat stops this Set is iterated printing the info.

The second related issue is that the key stored in the sessionsInContext is not the real ad_session_id created in the database. So the updates to deactivate the sessions never update any record. :( You can check this in the SessionLogin.save(). A random key is generated and set in the SessionListner, but later the AD_Session is created but this key is not set so a different uuid is created in database.

The good thing. Is that the ad_sessions that are created in the Stateless WebService calls are created with the session_active flag to false. So they are not required to deactivate them when tomcat is stopped.

So 2 issues to fix:

1. The ad_session_id stored in SessionListener.sessionsInContext set is not the real ad_session_id created in database.
2. The ad_session records created in stateless request are already created with the session_active to false so they shouldn't be added to the session listener at all.

[1]
https://code.openbravo.com/erp/devel/pi/file/3f6b96e0cba9/src/org/openbravo/erpCommon/security/SessionLogin.java#l118 [^]

Steps To Reproduce

Put a breakpoint in the session listener
Run one of the stateless testcases: StatelessRetailOrderLoaderTest or TestStatelessWebService

Check that a session id is registered in the sessionlistener

Proposed Solution

Prevent stateless requests to register a session id in the sessionlistener

Additional Information