Uploaded image for project: 'Application Server 3 4 5 and 6'
  1. Application Server 3 4 5 and 6
  2. JBAS-8915

Avoid look up session from the others web context's distributed cache when create a new sessions/read expired sessions.

XMLWordPrintable

    • Hide

      add -Dorg.apache.catalina.connector.Request.SESSION_ID_CHECK=false

      Show
      add -Dorg.apache.catalina.connector.Request.SESSION_ID_CHECK=false

      if we create a new session, or request an invalidated session, tomcat will try to look up the session from the others web context's distributed cache. if we have many web context, it's a big issue.
      in org.apache.catalina.connector.Request
      // Verify that the submitted session id exists in one of the host's web applications
      String sessionId = requestedSessionId;
      if (sessionId != null) {
      if (SESSION_ID_CHECK) {
      boolean found = false;
      try {
      if (!found) {
      Container children[] = getHost().findChildren();
      for (int i = 0; (i < children.length) && !found; i++) {
      if ((children[i].getManager() != null)
      && (children[i].getManager().findSession(sessionId) != null))

      { found = true; }

      }
      }
      } catch (IOException e)

      { // Ignore: one manager is broken, and it will show up elsewhere again }

      if (!found)

      { sessionId = null; }

      } else if (!isRequestedSessionIdFromCookie())

      { sessionId = null; }

      }
      i can disable it by -Dorg.apache.catalina.connector.Request.SESSION_ID_CHECK=false;

              pferraro@redhat.com Paul Ferraro
              jimmy.xu_jira jimmy xu (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated: