-
Bug
-
Resolution: Done
-
Major
-
2.0.13.Final, 1.4.18.SP9
-
None
Possible bug as mentioned in https://developer.jboss.org/thread/278634. As mentioned in the thread, use of bumpTimeout may cause a session that may never expire.
From jstourac@redhat.com:
The list of methods where 'bumpTimeout' is actually used in InMemorySessionManager to following: createSession(), setMaxInactiveInterval(), getAttribute(), getAttributeNames(), setAttribute(), removeAttribute(). From this list usage in following methods is suspicious: getAttribute(), getAttributeNames(), setAttribute(), removeAttribute().
All occurrences were added by this commit with initial session timeout implementation.
The truth is the Servlet 4.0, section 7.5 specification (Servlet 3.1 is almost identical) specifies that timeout depends on user activity only:
"This means that the only mechanism that can be used to indicate when a client is no longer active is a time out period."
Response from stuartdouglas_jira from mail:
We could probably change that to just update the timeout in requestDone().
- causes
-
UNDERTOW-1827 InMemorySessionManager must bump session timeout on requestStarted
- Resolved
-
UNDERTOW-1789 Bring back bumpTimeout in setMaxInactiveInterval of HttpSession
- Resolved
- is cloned by
-
WFLY-11115 bumpTimeout method usage in InMemorySessionManager
- Open
- is incorporated by
-
JBEAP-19474 [GSS](7.3.z) UNDERTOW-1419 - bumpTimeout method usage in InMemorySessionManager
- Closed
-
JBEAP-19475 [GSS](7.2.z) UNDERTOW-1419 - bumpTimeout method usage in InMemorySessionManager
- Closed