Anonymous | Login
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
TypeCategorySeverityReproducibilityDate SubmittedLast Update
defect[Openbravo ERP] A. Platformminorhave not tried2017-06-27 22:332017-07-03 10:11
ReportermtaalView Statuspublic 
Assigned Tomtaal 
PrioritynormalResolutionfixedFixed in Version3.0PR17Q3
StatusclosedFix in branchFixed in SCM revision7ef6d8ce4b58
ProjectionnoneETAnoneTarget Version3.0PR17Q3
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionSCM revision 
Review Assigned ToAugustoMauch
Web browser
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo

0036364: Http Sessions are registered in SessionListener with wrong session id, stateless requests should not be registered

DescriptionThe main issue is related to the fact that all logins, even stateless ones, are registering a record in the SessionListener [1] with the wrong session id.
When the BaseWebService is authenticating it calls the createDBSession which creates a SessionLogin. When the SessionLogin is saved (AuthenticationManager.createDBSession line 476) it adds its key to the SessionListener. This session is never destroyed so it is never removed from the sessionInContext set of SessionListener. When tomcat stops this Set is iterated printing the info.

The second related issue is that the key stored in the sessionsInContext is not the real ad_session_id created in the database. So the updates to deactivate the sessions never update any record. :( You can check this in the A random key is generated and set in the SessionListner, but later the AD_Session is created but this key is not set so a different uuid is created in database.

The good thing. Is that the ad_sessions that are created in the Stateless WebService calls are created with the session_active flag to false. So they are not required to deactivate them when tomcat is stopped.

So 2 issues to fix:

1. The ad_session_id stored in SessionListener.sessionsInContext set is not the real ad_session_id created in database.
2. The ad_session records created in stateless request are already created with the session_active to false so they shouldn't be added to the session listener at all.

[1] [^]
Steps To ReproducePut a breakpoint in the session listener
Run one of the stateless testcases: StatelessRetailOrderLoaderTest or TestStatelessWebService

Check that a session id is registered in the sessionlistener
Proposed SolutionPrevent stateless requests to register a session id in the sessionlistener
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
related to design defect 0035994 closedcaristu Web service calls should not create ad_session entries being in an instance with unlimited web service calls 

-  Notes
hgbot (developer)
2017-06-29 11:28

Repository: erp/devel/pi
Changeset: 7ef6d8ce4b58374e5f74e51962b1a7f6a9ee36bb
Author: Martin Taal <martin.taal <at>>
Date: Thu Jun 29 11:28:15 2017 +0200
URL: [^]

Fixes issue 36364: Http Sessions are registered in SessionListener with wrong session id, stateless requests should not be registered
Prevent stateless request from being registered in SessionListener.
Force the correct id in the Session record

M src/org/openbravo/erpCommon/security/
AugustoMauch (manager)
2017-06-29 13:37

Code reviewed and verified
hudsonbot (developer)
2017-06-30 17:19

A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: [^]
Maturity status: Test

- Issue History
Date Modified Username Field Change
2017-06-27 22:33 mtaal New Issue
2017-06-27 22:33 mtaal Assigned To => mtaal
2017-06-27 22:33 mtaal Modules => Core
2017-06-27 22:33 mtaal Triggers an Emergency Pack => No
2017-06-29 11:26 mtaal Review Assigned To => AugustoMauch
2017-06-29 11:27 mtaal Summary Stateless requests register session id in SessionListener while this should not happen => Http Sessions are registered in SessionListener with wrong session id, stateless requests should not be registered
2017-06-29 11:27 mtaal Description Updated View Revisions
2017-06-29 11:28 hgbot Checkin
2017-06-29 11:28 hgbot Note Added: 0097754
2017-06-29 11:28 hgbot Status new => resolved
2017-06-29 11:28 hgbot Resolution open => fixed
2017-06-29 11:28 hgbot Fixed in SCM revision => [^]
2017-06-29 13:37 AugustoMauch Note Added: 0097768
2017-06-29 13:37 AugustoMauch Status resolved => closed
2017-06-29 13:37 AugustoMauch Fixed in Version => 3.0PR17Q3
2017-06-30 17:19 hudsonbot Checkin
2017-06-30 17:19 hudsonbot Note Added: 0097785
2017-07-03 10:11 alostale Relationship added related to 0035994

Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker