https://issues.apache.org/bugzilla/show_bug.cgi?id=51812
Bug #: 51812
Summary: Tomcat access logging "tickles" session causing
session to never time out
Product: Tomcat 7
Version: 7.0.14
Platform: PC
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: danlee5...@gmail.com
Classification: Unclassified
I have created a web app (servlet application) that does asynchronous hits from
the browser to periodically fetch some status information and update the page.
These asynchronous hits are directed to a dedicated servlet in the same webapp
that takes great pains to never touch the session so that the session access
time is not modified. The idea is that these asynchronous hits don't count as
real hits else the session would never idle time out.
This worked fine on Tomcat-6.0.14. Upgrading to Tomcat-7.0.14 causes a problem
in that these asynchronous hits are updating the session access time.
I have traced the problem down to
org.apache.catalina.valves.AccessLogValve.java. When it is doing its logging,
it is trying to fetch the "principal" object from the session and thus changing
the session last access time. This does not seem to be legitimate.
Here is the relevant code:
/**
* Enforce the security restrictions in the web application deployment
* descriptor of our associated Context.
*
* @param request Request to be processed
* @param response Response to be processed
*
* @exception IOException if an input/output error occurs
* @exception ServletException if thrown by a processing element
*/
@Override
public void invoke(Request request, Response response)
throws IOException, ServletException {
if (log.isDebugEnabled())
log.debug("Security checking request " +
request.getMethod() + " " + request.getRequestURI());
LoginConfig config = this.context.getLoginConfig();
// Have we got a cached authenticated Principal to record?
if (cache) {
Principal principal = request.getUserPrincipal();
if (principal == null) {
Session session = request.getSessionInternal(false); <- Session
Ticked Here
if (session != null) {
principal = session.getPrincipal();
if (principal != null) {
if (log.isDebugEnabled())
log.debug("We have cached auth type " +
session.getAuthType() +
" for principal " +
session.getPrincipal());
request.setAuthType(session.getAuthType());
request.setUserPrincipal(principal);
}
}
}
Changing the source code so that cache=false, solves the problem and the
session access time is not affected by these asynchronous hits. I cannot find
a way to set cache=false other than changing source. Adding cache="false" to
the Valve tag in server.xml seems to have no effect.
It would be nice if this parameter were controllable or if the code did not
have this characteristic. Logging should not effect the user's session.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
