Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-18857

Sometimes, the HttpSession is invalidated twice

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 6.0-HF25, 7.10-HF03, 8.1
    • Fix Version/s: 6.0-HF27, 7.10-HF05, 8.1
    • Component/s: Authentication

      Description

      I met some trouble while doing some perf tests, the following method throws an exception (IllegalStateException) when I'm calling /nuxeo/logout (not every time).
      The session is invalited twice.
      The first time by Seam's sessionManager:

      org.nuxeo.ecm.platform.ui.web.auth.plugins.SeamJsfSessionManager.onBeforeSessionInvalidate
      

      The second time is explicit.

      class PluggableAuthenticationService
      
          public void invalidateSession(ServletRequest request) {
              if (!sessionManagers.isEmpty()) {
                  for (String smName : sessionManagers.keySet()) {
                      NuxeoAuthenticationSessionManager sm = sessionManagers.get(smName);      <=========== first time here
                      sm.onBeforeSessionInvalidate(request);
                  }
              }
              HttpServletRequest httpRequest = (HttpServletRequest) request;
              HttpSession session = httpRequest.getSession(false);
              if (session != null) {
                  session.invalidate();                                                        <=========== second time here
              }
          }
      

      It's important to use Seam to invalidate a seam based session because it handles some custom state which must be cleaned.
      The isValid state is handled by the servlet container (tomcat in our case) and is absolutely not exposed.
      There are only 2 implementations of NuxeoAuthenticationSessionManager (WebEngine and Seam).
      The web engine does nothing on `onBeforeSessionInvalidate`.
      May be, we could update the NuxeoAuthenticationSessionManager and add a new operation named isInvalidationManager. Seam will return true.

      • only the first sessionManager which return true will invalidate the session
      • the standard invalidate method will be invoked only if no sessionManager handled the invalidation.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  PagerDuty

                  Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.