DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25792>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25792 Session timeout implemented incorrectly ------- Additional Comments From [EMAIL PROTECTED] 2003-12-30 14:29 ------- The session timeout in Tomcat seems to be implemented in a way that doesn't take the background clean-up thread into account. StandardSession has two variables: thisAccessedTime - the time for current request lastAccessedTime - the time for last request (needed by HttpSession.getLastAccessedTime) The times are updated only once per request by the container so that HttpSession.getLastAccessedTime() returns the time of the previous request. The same variable is later used by the background thread to determine if the session should be invalidated. Therefore the background cleanup thread checks the access time of the _second_ latest request. This explains why 1 min refresh period works with 3 min timeout while 2min refresh period does not. Isn't it possible that the session could even be invalidated while processing a request? Quick'n'dirty fix would be as follows: ====== diff -u -b -r1.26 StandardSession.java --- StandardSession.java 29 Nov 2003 18:06:35 -0000 1.26 +++ StandardSession.java 30 Dec 2003 12:52:44 -0000 @@ -584,7 +584,7 @@ if (maxInactiveInterval >= 0) { long timeNow = System.currentTimeMillis(); - int timeIdle = (int) ((timeNow - lastAccessedTime) / 1000L); + int timeIdle = (int) ((timeNow - thisAccessedTime) / 1000L); if (timeIdle >= maxInactiveInterval) { expire(true); } ====== More elaborate way would be to cache the lastAccessedTime in the httpsessionfacade and update the StandardSession.lastAccessedTime directly w/o the thisAccessedTime in between. I could write the more elaborate patch if someone is willing to commit it. Please comment. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
