Project:
| View Issue Details[ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
| ID | ||||||||
| 0036364 | ||||||||
| Type | Category | Severity | Reproducibility | Date Submitted | Last Update | |||
| defect | [Openbravo ERP] A. Platform | minor | have not tried | 2017-06-27 22:33 | 2017-07-03 10:11 | |||
| Reporter | mtaal | View Status | public | |||||
| Assigned To | mtaal | |||||||
| Priority | normal | Resolution | fixed | Fixed in Version | 3.0PR17Q3 | |||
| Status | closed | Fix in branch | Fixed in SCM revision | 7ef6d8ce4b58 | ||||
| Projection | none | ETA | none | Target Version | 3.0PR17Q3 | |||
| OS | Any | Database | Any | Java version | ||||
| OS Version | Database version | Ant version | ||||||
| Product Version | SCM revision | |||||||
| Review Assigned To | AugustoMauch | |||||||
| Web browser | ||||||||
| Modules | Core | |||||||
| Regression level | ||||||||
| Regression date | ||||||||
| Regression introduced in release | ||||||||
| Regression introduced by commit | ||||||||
| Triggers an Emergency Pack | No | |||||||
| Summary | 0036364: Http Sessions are registered in SessionListener with wrong session id, stateless requests should not be registered | |||||||
| Description | The main issue is related to the fact that all logins, even stateless ones, are registering a record in the SessionListener [1] with the wrong session id. When the BaseWebService is authenticating it calls the createDBSession which creates a SessionLogin. When the SessionLogin is saved (AuthenticationManager.createDBSession line 476) it adds its key to the SessionListener. This session is never destroyed so it is never removed from the sessionInContext set of SessionListener. When tomcat stops this Set is iterated printing the info. The second related issue is that the key stored in the sessionsInContext is not the real ad_session_id created in the database. So the updates to deactivate the sessions never update any record. :( You can check this in the SessionLogin.save(). A random key is generated and set in the SessionListner, but later the AD_Session is created but this key is not set so a different uuid is created in database. The good thing. Is that the ad_sessions that are created in the Stateless WebService calls are created with the session_active flag to false. So they are not required to deactivate them when tomcat is stopped. So 2 issues to fix: 1. The ad_session_id stored in SessionListener.sessionsInContext set is not the real ad_session_id created in database. 2. The ad_session records created in stateless request are already created with the session_active to false so they shouldn't be added to the session listener at all. [1] https://code.openbravo.com/erp/devel/pi/file/3f6b96e0cba9/src/org/openbravo/erpCommon/security/SessionLogin.java#l118 [^] | |||||||
| Steps To Reproduce | Put a breakpoint in the session listener Run one of the stateless testcases: StatelessRetailOrderLoaderTest or TestStatelessWebService Check that a session id is registered in the sessionlistener | |||||||
| Proposed Solution | Prevent stateless requests to register a session id in the sessionlistener | |||||||
| Tags | No tags attached. | |||||||
| Attached Files | ||||||||
 Relationships [ Relation Graph ]
[ Dependency Graph ]
|
||||||||
|
||||||||
 Relationships |
|
Notes |
|
|
(0097754) hgbot (developer) 2017-06-29 11:28 |
Repository: erp/devel/pi Changeset: 7ef6d8ce4b58374e5f74e51962b1a7f6a9ee36bb Author: Martin Taal <martin.taal <at> openbravo.com> Date: Thu Jun 29 11:28:15 2017 +0200 URL: http://code.openbravo.com/erp/devel/pi/rev/7ef6d8ce4b58374e5f74e51962b1a7f6a9ee36bb [^] Fixes issue 36364: Http Sessions are registered in SessionListener with wrong session id, stateless requests should not be registered Prevent stateless request from being registered in SessionListener. Force the correct id in the Session record --- M src/org/openbravo/erpCommon/security/SessionLogin.java --- |
|
(0097768) AugustoMauch (administrator) 2017-06-29 13:37 |
Code reviewed and verified |
|
(0097785) hudsonbot (developer) 2017-06-30 17:19 |
A changeset related to this issue has been promoted main and to the Central Repository, after passing a series of tests. Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/afd14b274336 [^] Maturity status: Test |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2017-06-27 22:33 | mtaal | New Issue | |
| 2017-06-27 22:33 | mtaal | Assigned To | => mtaal |
| 2017-06-27 22:33 | mtaal | Modules | => Core |
| 2017-06-27 22:33 | mtaal | Triggers an Emergency Pack | => No |
| 2017-06-29 11:26 | mtaal | Review Assigned To | => AugustoMauch |
| 2017-06-29 11:27 | mtaal | Summary | Stateless requests register session id in SessionListener while this should not happen => Http Sessions are registered in SessionListener with wrong session id, stateless requests should not be registered |
| 2017-06-29 11:27 | mtaal | Description Updated | View Revisions |
| 2017-06-29 11:28 | hgbot | Checkin | |
| 2017-06-29 11:28 | hgbot | Note Added: 0097754 | |
| 2017-06-29 11:28 | hgbot | Status | new => resolved |
| 2017-06-29 11:28 | hgbot | Resolution | open => fixed |
| 2017-06-29 11:28 | hgbot | Fixed in SCM revision | => http://code.openbravo.com/erp/devel/pi/rev/7ef6d8ce4b58374e5f74e51962b1a7f6a9ee36bb [^] |
| 2017-06-29 13:37 | AugustoMauch | Note Added: 0097768 | |
| 2017-06-29 13:37 | AugustoMauch | Status | resolved => closed |
| 2017-06-29 13:37 | AugustoMauch | Fixed in Version | => 3.0PR17Q3 |
| 2017-06-30 17:19 | hudsonbot | Checkin | |
| 2017-06-30 17:19 | hudsonbot | Note Added: 0097785 | |
| 2017-07-03 10:11 | alostale | Relationship added | related to 0035994 |
|
Issue History |
| Copyright © 2000 - 2009 MantisBT Group |
 |