DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16874>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16874 Same session of two different clients as a result of a lack in synchronization during recycling sessions Summary: Same session of two different clients as a result of a lack in synchronization during recycling sessions Product: Tomcat 4 Version: 4.1.18 Platform: Other OS/Version: Other Status: NEW Severity: Critical Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] The expire(boolean notify) method of StandardSession is not safely synchronized. public void expire(boolean notify) { // Mark this session as "being expired" if needed if (expiring) return; expiring = true; ... expiring = false; } In my opinion, it is possible that the expire() method can call twice. As a result of that, the same session object will be added in the recycled list twice. So the generateSession() of the ManagerBase will get the same session object twice. As the result the same session will be shared by different clients! So it were nice, if somebody with more background can review the source files and comment this issue. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
