create a session after invoke session.invalidate() then cannot get it in the next request

Alvison commented 8 years ago

My case is that:

When user sign my system with jsessionid in cookie, i will invoke session.invalidate() to unbound everything in this session for some reason. Then, i set some info to the session like this:

request.getSession().setAttribute("userinfo", "xxxxxx");

Thus it will create a new session with the same sessionid. Unfortunately, the follwing new request cannot get the session.

After debugging, i find out that my failure is caused by de.javakaffee.web.msm.MemcachedSessionService._invalidSessionsCache.

When i create a new session with sessionid existed in _invalidSessionsCache, it forget to remove it from _invalidSessionsCache, marking the new session still a invalid session.

I think this is a bug. What do you think about it?

magro commented 8 years ago

Do you mean that the new session is created with the id of the invalidated session? Can you share debug logs? Am 21.01.2016 16:15 schrieb "Alvison" notifications@github.com:

My case is that:

When user sign my system with jsessionid in cookie, i will invoke sessioninvalidate() to unbound everything in this session for some reason Then, i set some info to the session like this:

requestgetSession()setAttribute("userinfo", "xxxxxx");

Thus it will create a new session with the same sessionid Unfortunately, the follwing new request cannot get the session

After debugging, i find out that my failure is caused by dejavakaffeewebmsmMemcachedSessionService_invalidSessionsCache

When i create a new session with sessionid existed in _invalidSessionsCache, it forget to remove it from _invalidSessionsCache, marking the new session still a invalid session

I think this is a bug What do you think about it?

— Reply to this email directly or view it on GitHub https://github.com/magro/memcached-session-manager/issues/284.

Alvison commented 8 years ago

@magro Thank you for your prompt reply.

Q: Do you mean that the new session is created with the id of the invalidated session? A: yes

My script use to represent the problem:

echo "assume: The getSigninForm request return sessioncookie: JSESSIONID=42D24D10BD954F66552649AE54FB86D2-n1'"
echo "So i will post my request with JSESSIONID=42D24D10BD954F66552649AE54FB86D2-n1"
echo "here we go"
echo `date`"----- postSigninForm"

curl 'http://localhost:8080/testWeb/tss?state=postSigninForm' -H 'Pragma: no-cache' -H 'Accept-Encoding: gzip, deflate, sdch' -H 'Accept-Language: zh-CN,zh;q=0.8,en;q=0.6' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Cache-Control: no-cache' -H 'Cookie: JSESSIONID=42D24D10BD954F66552649AE54FB86D2-n1' -H 'Connection: keep-alive' -H 'AlexaToolbar-ALX_NS_PH: AlexaToolbar/alxg-3.3' --compressed
echo `date`"----- afterLogin"
curl 'http://localhost:8080/testWeb/tss?state=afterLogin' -H 'Pragma: no-cache' -H 'Accept-Encoding: gzip, deflate, sdch' -H 'Accept-Language: zh-CN,zh;q=0.8,en;q=0.6' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Cache-Control: no-cache' -H 'Cookie: JSESSIONID=42D24D10BD954F66552649AE54FB86D2-n1' -H 'Connection: keep-alive' -H 'AlexaToolbar-ALX_NS_PH: AlexaToolbar/alxg-3.3' --compressed

echo "Another case: I will post signin request and sleep 5 second.Then the afterLogin request can success get session "
echo "here we go"
echo "assume: The getSigninForm request return sessioncookie: JSESSIONID=42D24D10BD954F66552649AE54FB86D2-n1'"
echo `date`"----- postSigninForm"

curl 'http://localhost:8080/testWeb/tss?state=postSigninForm' -H 'Pragma: no-cache' -H 'Accept-Encoding: gzip, deflate, sdch' -H 'Accept-Language: zh-CN,zh;q=0.8,en;q=0.6' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Cache-Control: no-cache' -H 'Cookie: JSESSIONID=42D24D10BD954F66552649AE54FB86D2-n1' -H 'Connection: keep-alive' -H 'AlexaToolbar-ALX_NS_PH: AlexaToolbar/alxg-3.3' --compressed
echo "sleep 5 second"
sleep 5
echo `date`"----- afterLogin## had slept 5 second"
curl 'http://localhost:8080/testWeb/tss?state=afterLogin' -H 'Pragma: no-cache' -H 'Accept-Encoding: gzip, deflate, sdch' -H 'Accept-Language: zh-CN,zh;q=0.8,en;q=0.6' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Cache-Control: no-cache' -H 'Cookie: JSESSIONID=42D24D10BD954F66552649AE54FB86D2-n1' -H 'Connection: keep-alive' -H 'AlexaToolbar-ALX_NS_PH: AlexaToolbar/alxg-3.3' --compressed

And the shell output :

alvisqindeMacBook-Pro:Desktop alvisqin$ ./sessiontest.sh 
assume: The getSigninForm request return sessioncookie: JSESSIONID=42D24D10BD954F66552649AE54FB86D2-n1'
So i will post my request with JSESSIONID=42D24D10BD954F66552649AE54FB86D2-n1
here we go
2016年 1月22日 星期五 13时56分21秒 CST----- postSigninForm
loginSuccess
2016年 1月22日 星期五 13时56分21秒 CST----- afterLogin
your profile info is:null
Another case: I will post signin request and sleep 5 second.Then the afterLogin request can success get session 
here we go
assume: The getSigninForm request return sessioncookie: JSESSIONID=42D24D10BD954F66552649AE54FB86D2-n1'
2016年 1月22日 星期五 13时56分21秒 CST----- postSigninForm
loginSuccess
sleep 5 second
2016年 1月22日 星期五 13时56分26秒 CST----- afterLogin## had slept 5 second
your profile info is:{name:alvis, balance:$10000 }

tomcat logs:

一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.RequestTrackingHostValve invoke
详细: >>>>>> Request starting: GET /testWeb/tss?state=postSigninForm (requestedSessionId 42D24D10BD954F66552649AE54FB86D2-n1) ==================
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.SessionIdFormat createSessionId
详细: Creating new session id with orig id 'ping' and memcached id 'n1'.
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.NodeAvailabilityCache updateIsNodeAvailable
详细: CacheLoader returned node availability 'true' for node 'n1'.
-----    user login   -----
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.MemcachedSessionService loadFromMemcached
详细: Loading session from memcached: 42D24D10BD954F66552649AE54FB86D2-n1
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.MemcachedSessionService loadFromMemcached
详细: Found session with id 42D24D10BD954F66552649AE54FB86D2-n1
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.MemcachedBackupSessionManager removeInternal
详细: remove invoked, removeFromMemcached: true, id: 42D24D10BD954F66552649AE54FB86D2-n1
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.MemcachedSessionService deleteFromMemcached
详细: Deleting session from memcached: 42D24D10BD954F66552649AE54FB86D2-n1
bind only one attribute to my new session
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.MemcachedSessionService createSession
详细: createSession invoked: 42D24D10BD954F66552649AE54FB86D2-n1
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.MemcachedSessionService createSession
详细: Created new session with id 42D24D10BD954F66552649AE54FB86D2-n1
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.BackupSessionService backupSession
详细: Starting for session id 42D24D10BD954F66552649AE54FB86D2-n1
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.LockingStrategy onAfterBackupSession
详细: Stored session validity info for session 42D24D10BD954F66552649AE54FB86D2-n1
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.BackupSessionTask call
详细: Starting for session id 42D24D10BD954F66552649AE54FB86D2-n1
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.BackupSessionTask doBackupSession
详细: Trying to store session in memcached: 42D24D10BD954F66552649AE54FB86D2-n1
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.BackupSessionTask call
详细: Finished for session id 42D24D10BD954F66552649AE54FB86D2-n1, returning status SUCCESS
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.RequestTrackingHostValve logDebugRequestSessionCookie
详细: Have request session cookie: domain=null, maxAge=-1, path=null, value=42D24D10BD954F66552649AE54FB86D2-n1, version=0, secure=false
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.RequestTrackingHostValve logDebugResponseCookie
详细: Request finished, with Set-Cookie header: JSESSIONID=42D24D10BD954F66552649AE54FB86D2-n1; Path=/; HttpOnly
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.RequestTrackingHostValve invoke
详细: <<<<<< Request finished: GET /testWeb/tss?state=postSigninForm ==================
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.RequestTrackingHostValve invoke
详细: >>>>>> Request starting: GET /testWeb/tss?state=afterLogin (requestedSessionId 42D24D10BD954F66552649AE54FB86D2-n1) ==================
-----    afterLogin   -----
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.MemcachedSessionService createSession
详细: createSession invoked: 42D24D10BD954F66552649AE54FB86D2-n1
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.MemcachedSessionService createSession
详细: Created new session with id 42D24D10BD954F66552649AE54FB86D2-n1
you profile is: null
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.BackupSessionService backupSession
详细: Starting for session id 42D24D10BD954F66552649AE54FB86D2-n1
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.LockingStrategy onAfterBackupSession
详细: Stored session validity info for session 42D24D10BD954F66552649AE54FB86D2-n1
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.RequestTrackingHostValve logDebugRequestSessionCookie
详细: Have request session cookie: domain=null, maxAge=-1, path=null, value=42D24D10BD954F66552649AE54FB86D2-n1, version=0, secure=false
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.RequestTrackingHostValve logDebugResponseCookie
详细: Request finished, with Set-Cookie header: JSESSIONID=42D24D10BD954F66552649AE54FB86D2-n1; Path=/; HttpOnly
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.BackupSessionTask call
详细: Starting for session id 42D24D10BD954F66552649AE54FB86D2-n1
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.RequestTrackingHostValve invoke
详细: <<<<<< Request finished: GET /testWeb/tss?state=afterLogin ==================
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.BackupSessionTask doBackupSession
详细: Trying to store session in memcached: 42D24D10BD954F66552649AE54FB86D2-n1
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.BackupSessionTask call
详细: Finished for session id 42D24D10BD954F66552649AE54FB86D2-n1, returning status SUCCESS
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.RequestTrackingHostValve invoke
详细: >>>>>> Request starting: GET /testWeb/tss?state=postSigninForm (requestedSessionId 42D24D10BD954F66552649AE54FB86D2-n1) ==================
-----    user login   -----
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.MemcachedSessionService createSession
详细: createSession invoked: 42D24D10BD954F66552649AE54FB86D2-n1
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.MemcachedSessionService createSession
详细: Created new session with id 42D24D10BD954F66552649AE54FB86D2-n1
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.MemcachedBackupSessionManager removeInternal
详细: remove invoked, removeFromMemcached: true, id: 42D24D10BD954F66552649AE54FB86D2-n1
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.MemcachedSessionService deleteFromMemcached
详细: Deleting session from memcached: 42D24D10BD954F66552649AE54FB86D2-n1
bind only one attribute to my new session
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.MemcachedSessionService createSession
详细: createSession invoked: 42D24D10BD954F66552649AE54FB86D2-n1
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.MemcachedSessionService createSession
详细: Created new session with id 42D24D10BD954F66552649AE54FB86D2-n1
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.BackupSessionService backupSession
详细: Starting for session id 42D24D10BD954F66552649AE54FB86D2-n1
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.LockingStrategy onAfterBackupSession
详细: Stored session validity info for session 42D24D10BD954F66552649AE54FB86D2-n1
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.RequestTrackingHostValve logDebugRequestSessionCookie
详细: Have request session cookie: domain=null, maxAge=-1, path=null, value=42D24D10BD954F66552649AE54FB86D2-n1, version=0, secure=false
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.BackupSessionTask call
详细: Starting for session id 42D24D10BD954F66552649AE54FB86D2-n1
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.BackupSessionTask doBackupSession
详细: Trying to store session in memcached: 42D24D10BD954F66552649AE54FB86D2-n1
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.RequestTrackingHostValve logDebugResponseCookie
详细: Request finished, with Set-Cookie header: JSESSIONID=42D24D10BD954F66552649AE54FB86D2-n1; Path=/; HttpOnly
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.BackupSessionTask call
详细: Finished for session id 42D24D10BD954F66552649AE54FB86D2-n1, returning status SUCCESS
一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.RequestTrackingHostValve invoke
详细: <<<<<< Request finished: GET /testWeb/tss?state=postSigninForm ==================
一月 22, 2016 1:56:26 下午 de.javakaffee.web.msm.RequestTrackingHostValve invoke
详细: >>>>>> Request starting: GET /testWeb/tss?state=afterLogin (requestedSessionId 42D24D10BD954F66552649AE54FB86D2-n1) ==================
一月 22, 2016 1:56:26 下午 de.javakaffee.web.msm.SessionIdFormat createSessionId
详细: Creating new session id with orig id 'ping' and memcached id 'n1'.
一月 22, 2016 1:56:26 下午 de.javakaffee.web.msm.NodeAvailabilityCache updateIsNodeAvailable
详细: CacheLoader returned node availability 'true' for node 'n1'.
-----    afterLogin   -----
一月 22, 2016 1:56:26 下午 de.javakaffee.web.msm.MemcachedSessionService loadFromMemcached
详细: Loading session from memcached: 42D24D10BD954F66552649AE54FB86D2-n1
一月 22, 2016 1:56:26 下午 de.javakaffee.web.msm.MemcachedSessionService loadFromMemcached
详细: Found session with id 42D24D10BD954F66552649AE54FB86D2-n1
you profile is: {name:alvis, balance:$10000 }
一月 22, 2016 1:56:26 下午 de.javakaffee.web.msm.BackupSessionService backupSession
详细: Starting for session id 42D24D10BD954F66552649AE54FB86D2-n1
一月 22, 2016 1:56:26 下午 de.javakaffee.web.msm.LockingStrategy onAfterBackupSession
详细: Stored session validity info for session 42D24D10BD954F66552649AE54FB86D2-n1
一月 22, 2016 1:56:26 下午 de.javakaffee.web.msm.BackupSessionTask call
详细: Starting for session id 42D24D10BD954F66552649AE54FB86D2-n1
一月 22, 2016 1:56:26 下午 de.javakaffee.web.msm.RequestTrackingHostValve logDebugRequestSessionCookie
详细: Have request session cookie: domain=null, maxAge=-1, path=null, value=42D24D10BD954F66552649AE54FB86D2-n1, version=0, secure=false
一月 22, 2016 1:56:26 下午 de.javakaffee.web.msm.BackupSessionTask call
详细: Finished for session id 42D24D10BD954F66552649AE54FB86D2-n1, returning status SKIPPED
一月 22, 2016 1:56:26 下午 de.javakaffee.web.msm.RequestTrackingHostValve invoke
详细: <<<<<< Request finished: GET /testWeb/tss?state=afterLogin ==================
一月 22, 2016 1:56:26 下午 de.javakaffee.web.msm.LockingStrategy pingSession
详细: The session was ping'ed successfully.

Some of my application code and tomcat configuration:

com.alvis.testweb.TestSessionServlet:

package com.alvis.testweb;

import java.io.IOException;
import java.io.PrintWriter;

import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class TestSessionServlet extends HttpServlet{

    private static final long serialVersionUID = -7083183762109600156L;

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
        String parameter = req.getParameter("state");
        String sessionAttribute = "userProfile";
        String userlatestProfile = "{name:alvis, balance:$10000 }";
        PrintWriter writer = resp.getWriter();  

        if( parameter !=null ){
            switch (parameter) {
            case "getSigninForm":
                System.out.println("----- get login form -----");
                req.getSession().setAttribute("createsession", "yes...");

                writer.println("your Signin Form");
                writer.close();         
                break;
            case "postSigninForm":
                System.out.println("-----    user login   -----");

                //unbound all object in this session for some reason
                req.getSession().invalidate();

                //bind only one attribute to my new session             
                System.out.println("bind only one attribute to my new session");                
                req.getSession().setAttribute(sessionAttribute, userlatestProfile);

                writer.println("loginSuccess");
                writer.close();         
                break;
            case "afterLogin":
                System.out.println("-----    afterLogin   -----");

                Object attribute = req.getSession().getAttribute(sessionAttribute);
                System.out.println("you profile is: " + attribute);

                writer.println("your profile info is:" + attribute);
                writer.close();         
                break;              

            default:
                System.out.println("----- unimplemented -----");
                break;
            }
        }       
    }
}

web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" 
    xmlns="http://java.sun.com/xml/ns/javaee" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
    http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
  <display-name>testWeb</display-name>  
  <welcome-file-list>
    <welcome-file>index.jsp</welcome-file>
  </welcome-file-list>
  <servlet>
    <servlet-name>testSessionServlet</servlet-name>
      <servlet-class>com.alvis.testweb.TestSessionServlet</servlet-class>
  </servlet>
    <servlet-mapping>
      <servlet-name>testSessionServlet</servlet-name>
      <url-pattern>/tss</url-pattern>
  </servlet-mapping>

</web-app>

tomcat/conf/context.xml:
<?xml version='1.0' encoding='utf-8'?>
<Context sessionCookiePath="/" >
    <Manager className="de.javakaffee.web.msm.MemcachedBackupSessionManager"
        memcachedNodes="n1:localhost:11211"
        sticky="false"
        sessionBackupAsync="true"
        requestUriIgnorePattern=".*\.(ico|png|gif|jpg|css|js)$"
        transcoderFactoryClass="de.javakaffee.web.msm.serializer.kryo.KryoTranscoderFactory"
        />
  <WatchedResource>WEB-INF/web.xml</WatchedResource>

</Context>

tomcat libs:
alvisqindeMacBook-Pro:tomcat alvisqin$ ls -l ../apache-tomcat-7.0.53/lib/
total 16088
-rw-r--r--@ 1 alvisqin  staff    15978  3 25  2014 annotations-api.jar
-rw-r--r--  1 alvisqin  staff    43398 10 19 11:14 asm-3.2.jar
-rw-r--r--@ 1 alvisqin  staff    53446  3 25  2014 catalina-ant.jar
-rw-r--r--@ 1 alvisqin  staff   132932  3 25  2014 catalina-ha.jar
-rw-r--r--@ 1 alvisqin  staff   255964  3 25  2014 catalina-tribes.jar
-rw-r--r--@ 1 alvisqin  staff  1592605  3 25  2014 catalina.jar
-rw-r--r--  1 alvisqin  staff   317601 10 19 11:14 couchbase-client-1.4.0.jar
-rw-r--r--@ 1 alvisqin  staff  2272697  3 25  2014 ecj-P20140317-1600.jar
-rw-r--r--@ 1 alvisqin  staff    54453  3 25  2014 el-api.jar
-rw-r--r--@ 1 alvisqin  staff   123140  3 25  2014 jasper-el.jar
-rw-r--r--@ 1 alvisqin  staff   601168  3 25  2014 jasper.jar
-rw-r--r--@ 1 alvisqin  staff    87809  3 25  2014 jsp-api.jar
-rw-r--r--  1 alvisqin  staff    94830 10 19 11:14 kryo-1.04.jar
-rw-r--r--  1 alvisqin  staff    62112 10 19 11:14 kryo-serializers-0.11.jar
-rw-r--r--  1 alvisqin  staff   147025 10 19 11:14 memcached-session-manager-1.8.3.jar
-rw-r--r--  1 alvisqin  staff    11284 10 19 11:14 memcached-session-manager-tc7-1.8.3.jar
-rw-r--r--  1 alvisqin  staff     4879 10 19 11:14 minlog-1.2.jar
-rw-r--r--  1 alvisqin  staff    29328 10 19 11:14 msm-kryo-serializer-1.8.3.jar
-rw-r--r--  1 alvisqin  staff    11615 10 19 11:14 reflectasm-1.01.jar
-rw-r--r--@ 1 alvisqin  staff   197876  3 25  2014 servlet-api.jar
-rw-r--r--  1 alvisqin  staff   459447 10 19 11:14 spymemcached-2.11.1.jar
-rw-r--r--@ 1 alvisqin  staff     6143  3 25  2014 tomcat-api.jar
-rw-r--r--@ 1 alvisqin  staff   830468  3 25  2014 tomcat-coyote.jar
-rw-r--r--@ 1 alvisqin  staff   234043  3 25  2014 tomcat-dbcp.jar
-rw-r--r--@ 1 alvisqin  staff    71937  3 25  2014 tomcat-i18n-es.jar
-rw-r--r--@ 1 alvisqin  staff    43800  3 25  2014 tomcat-i18n-fr.jar
-rw-r--r--@ 1 alvisqin  staff    47038  3 25  2014 tomcat-i18n-ja.jar
-rw-r--r--@ 1 alvisqin  staff   125457  3 25  2014 tomcat-jdbc.jar
-rw-r--r--@ 1 alvisqin  staff    32257  3 25  2014 tomcat-util.jar
-rw-r--r--@ 1 alvisqin  staff   177763  3 25  2014 tomcat7-websocket.jar
-rw-r--r--@ 1 alvisqin  staff    36155  3 25  2014 websocket-api.jar

version:
tomcat version:7.0.53
java version "1.7.0_80"
Java(TM) SE Runtime Environment (build 1.7.0_80-b15)
Java HotSpot(TM) 64-Bit Server VM (build 24.80-b11, mixed mode)

magro commented 8 years ago

Thanks! If the new session is created with the id of the invalidated session then we should fix the issue you described, great analysis! Do you want to submit a pull request? Am 22.01.2016 07:01 schrieb "Alvison" notifications@github.com:

@magro https://github.com/magro Thank you for your prompt reply.

Q: Do you mean that the new session is created with the id of the invalidated session? A: yes

My script use to represent the problem:

echo "assume: The getSigninForm request return sessioncookie: JSESSIONID=42D24D10BD954F66552649AE54FB86D2-n1'" echo "So i will post my request with JSESSIONID=42D24D10BD954F66552649AE54FB86D2-n1" echo "here we go" echo date"----- postSigninForm"

curl 'http://localhost:8080/testWeb/tss?state=postSigninForm' -H 'Pragma: no-cache' -H 'Accept-Encoding: gzip, deflate, sdch' -H 'Accept-Language: zh-CN,zh;q=0.8,en;q=0.6' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_104) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/_;q=0.8' -H 'Cache-Control: no-cache' -H 'Cookie: JSESSIONID=42D24D10BD954F66552649AE54FB86D2-n1' -H 'Connection: keep-alive' -H 'AlexaToolbar-ALX_NS_PH: AlexaToolbar/alxg-3.3' --compressed echo date"----- afterLogin" curl 'http://localhost:8080/testWeb/tss?state=afterLogin' -H 'Pragma: no-cache' -H 'Accept-Encoding: gzip, deflate, sdch' -H 'Accept-Language: zh-CN,zh;q=0.8,en;q=0.6' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_104) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/_;q=0.8' -H 'Cache-Control: no-cache' -H 'Cookie: JSESSIONID=42D24D10BD954F66552649AE54FB86D2-n1' -H 'Connection: keep-alive' -H 'AlexaToolbar-ALX_NS_PH: AlexaToolbar/alxg-3.3' --compressed

echo "Another case: I will post signin request and sleep 5 second.Then the afterLogin request can success get session " echo "here we go" echo "assume: The getSigninForm request return sessioncookie: JSESSIONID=42D24D10BD954F66552649AE54FB86D2-n1'" echo date"----- postSigninForm"

curl 'http://localhost:8080/testWeb/tss?state=postSigninForm' -H 'Pragma: no-cache' -H 'Accept-Encoding: gzip, deflate, sdch' -H 'Accept-Language: zh-CN,zh;q=0.8,en;q=0.6' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_104) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/_;q=0.8' -H 'Cache-Control: no-cache' -H 'Cookie: JSESSIONID=42D24D10BD954F66552649AE54FB86D2-n1' -H 'Connection: keep-alive' -H 'AlexaToolbar-ALX_NS_PH: AlexaToolbar/alxg-3.3' --compressed echo "sleep 5 second" sleep 5 echo date"----- afterLogin## had slept 5 second" curl 'http://localhost:8080/testWeb/tss?state=afterLogin' -H 'Pragma: no-cache' -H 'Accept-Encoding: gzip, deflate, sdch' -H 'Accept-Language: zh-CN,zh;q=0.8,en;q=0.6' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_104) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/_;q=0.8' -H 'Cache-Control: no-cache' -H 'Cookie: JSESSIONID=42D24D10BD954F66552649AE54FB86D2-n1' -H 'Connection: keep-alive' -H 'AlexaToolbar-ALX_NS_PH: AlexaToolbar/alxg-3.3' --compressed

And the shell output :

alvisqindeMacBook-Pro:Desktop alvisqin$ ./sessiontest.sh assume: The getSigninForm request return sessioncookie: JSESSIONID=42D24D10BD954F66552649AE54FB86D2-n1' So i will post my request with JSESSIONID=42D24D10BD954F66552649AE54FB86D2-n1 here we go 2016年 1月22日星期五 13时56分21秒 CST----- postSigninForm loginSuccess 2016年 1月22日星期五 13时56分21秒 CST----- afterLogin your profile info is:null Another case: I will post signin request and sleep 5 second.Then the afterLogin request can success get session here we go assume: The getSigninForm request return sessioncookie: JSESSIONID=42D24D10BD954F66552649AE54FB86D2-n1' 2016年 1月22日星期五 13时56分21秒 CST----- postSigninForm loginSuccess sleep 5 second 2016年 1月22日星期五 13时56分26秒 CST----- afterLogin## had slept 5 second your profile info is:{name:alvis, balance:$10000 }

tomcat logs:

一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.RequestTrackingHostValve invoke 详细: >>>>>> Request starting: GET /testWeb/tss?state=postSigninForm (requestedSessionId 42D24D10BD954F66552649AE54FB86D2-n1) ================== 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.SessionIdFormat createSessionId 详细: Creating new session id with orig id 'ping' and memcached id 'n1'. 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.NodeAvailabilityCache updateIsNodeAvailable 详细: CacheLoader returned node availability 'true' for node 'n1'. ----- user login ----- 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.MemcachedSessionService loadFromMemcached 详细: Loading session from memcached: 42D24D10BD954F66552649AE54FB86D2-n1 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.MemcachedSessionService loadFromMemcached 详细: Found session with id 42D24D10BD954F66552649AE54FB86D2-n1 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.MemcachedBackupSessionManager removeInternal 详细: remove invoked, removeFromMemcached: true, id: 42D24D10BD954F66552649AE54FB86D2-n1 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.MemcachedSessionService deleteFromMemcached 详细: Deleting session from memcached: 42D24D10BD954F66552649AE54FB86D2-n1 bind only one attribute to my new session 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.MemcachedSessionService createSession 详细: createSession invoked: 42D24D10BD954F66552649AE54FB86D2-n1 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.MemcachedSessionService createSession 详细: Created new session with id 42D24D10BD954F66552649AE54FB86D2-n1 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.BackupSessionService backupSession 详细: Starting for session id 42D24D10BD954F66552649AE54FB86D2-n1 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.LockingStrategy onAfterBackupSession 详细: Stored session validity info for session 42D24D10BD954F66552649AE54FB86D2-n1 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.BackupSessionTask call 详细: Starting for session id 42D24D10BD954F66552649AE54FB86D2-n1 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.BackupSessionTask doBackupSession 详细: Trying to store session in memcached: 42D24D10BD954F66552649AE54FB86D2-n1 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.BackupSessionTask call 详细: Finished for session id 42D24D10BD954F66552649AE54FB86D2-n1, returning status SUCCESS 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.RequestTrackingHostValve logDebugRequestSessionCookie 详细: Have request session cookie: domain=null, maxAge=-1, path=null, value=42D24D10BD954F66552649AE54FB86D2-n1, version=0, secure=false 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.RequestTrackingHostValve logDebugResponseCookie 详细: Request finished, with Set-Cookie header: JSESSIONID=42D24D10BD954F66552649AE54FB86D2-n1; Path=/; HttpOnly 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.RequestTrackingHostValve invoke 详细: <<<<<< Request finished: GET /testWeb/tss?state=postSigninForm ================== 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.RequestTrackingHostValve invoke 详细: >>>>>> Request starting: GET /testWeb/tss?state=afterLogin (requestedSessionId 42D24D10BD954F66552649AE54FB86D2-n1) ================== ----- afterLogin ----- 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.MemcachedSessionService createSession 详细: createSession invoked: 42D24D10BD954F66552649AE54FB86D2-n1 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.MemcachedSessionService createSession 详细: Created new session with id 42D24D10BD954F66552649AE54FB86D2-n1 you profile is: null 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.BackupSessionService backupSession 详细: Starting for session id 42D24D10BD954F66552649AE54FB86D2-n1 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.LockingStrategy onAfterBackupSession 详细: Stored session validity info for session 42D24D10BD954F66552649AE54FB86D2-n1 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.RequestTrackingHostValve logDebugRequestSessionCookie 详细: Have request session cookie: domain=null, maxAge=-1, path=null, value=42D24D10BD954F66552649AE54FB86D2-n1, version=0, secure=false 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.RequestTrackingHostValve logDebugResponseCookie 详细: Request finished, with Set-Cookie header: JSESSIONID=42D24D10BD954F66552649AE54FB86D2-n1; Path=/; HttpOnly 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.BackupSessionTask call 详细: Starting for session id 42D24D10BD954F66552649AE54FB86D2-n1 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.RequestTrackingHostValve invoke 详细: <<<<<< Request finished: GET /testWeb/tss?state=afterLogin ================== 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.BackupSessionTask doBackupSession 详细: Trying to store session in memcached: 42D24D10BD954F66552649AE54FB86D2-n1 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.BackupSessionTask call 详细: Finished for session id 42D24D10BD954F66552649AE54FB86D2-n1, returning status SUCCESS 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.RequestTrackingHostValve invoke 详细: >>>>>> Request starting: GET /testWeb/tss?state=postSigninForm (requestedSessionId 42D24D10BD954F66552649AE54FB86D2-n1) ================== ----- user login ----- 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.MemcachedSessionService createSession 详细: createSession invoked: 42D24D10BD954F66552649AE54FB86D2-n1 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.MemcachedSessionService createSession 详细: Created new session with id 42D24D10BD954F66552649AE54FB86D2-n1 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.MemcachedBackupSessionManager removeInternal 详细: remove invoked, removeFromMemcached: true, id: 42D24D10BD954F66552649AE54FB86D2-n1 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.MemcachedSessionService deleteFromMemcached 详细: Deleting session from memcached: 42D24D10BD954F66552649AE54FB86D2-n1 bind only one attribute to my new session 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.MemcachedSessionService createSession 详细: createSession invoked: 42D24D10BD954F66552649AE54FB86D2-n1 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.MemcachedSessionService createSession 详细: Created new session with id 42D24D10BD954F66552649AE54FB86D2-n1 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.BackupSessionService backupSession 详细: Starting for session id 42D24D10BD954F66552649AE54FB86D2-n1 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.LockingStrategy onAfterBackupSession 详细: Stored session validity info for session 42D24D10BD954F66552649AE54FB86D2-n1 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.RequestTrackingHostValve logDebugRequestSessionCookie 详细: Have request session cookie: domain=null, maxAge=-1, path=null, value=42D24D10BD954F66552649AE54FB86D2-n1, version=0, secure=false 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.BackupSessionTask call 详细: Starting for session id 42D24D10BD954F66552649AE54FB86D2-n1 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.BackupSessionTask doBackupSession 详细: Trying to store session in memcached: 42D24D10BD954F66552649AE54FB86D2-n1 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.RequestTrackingHostValve logDebugResponseCookie 详细: Request finished, with Set-Cookie header: JSESSIONID=42D24D10BD954F66552649AE54FB86D2-n1; Path=/; HttpOnly 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.BackupSessionTask call 详细: Finished for session id 42D24D10BD954F66552649AE54FB86D2-n1, returning status SUCCESS 一月 22, 2016 1:56:21 下午 de.javakaffee.web.msm.RequestTrackingHostValve invoke 详细: <<<<<< Request finished: GET /testWeb/tss?state=postSigninForm ================== 一月 22, 2016 1:56:26 下午 de.javakaffee.web.msm.RequestTrackingHostValve invoke 详细: >>>>>> Request starting: GET /testWeb/tss?state=afterLogin (requestedSessionId 42D24D10BD954F66552649AE54FB86D2-n1) ================== 一月 22, 2016 1:56:26 下午 de.javakaffee.web.msm.SessionIdFormat createSessionId 详细: Creating new session id with orig id 'ping' and memcached id 'n1'. 一月 22, 2016 1:56:26 下午 de.javakaffee.web.msm.NodeAvailabilityCache updateIsNodeAvailable 详细: CacheLoader returned node availability 'true' for node 'n1'. ----- afterLogin ----- 一月 22, 2016 1:56:26 下午 de.javakaffee.web.msm.MemcachedSessionService loadFromMemcached 详细: Loading session from memcached: 42D24D10BD954F66552649AE54FB86D2-n1 一月 22, 2016 1:56:26 下午 de.javakaffee.web.msm.MemcachedSessionService loadFromMemcached 详细: Found session with id 42D24D10BD954F66552649AE54FB86D2-n1 you profile is: {name:alvis, balance:$10000 } 一月 22, 2016 1:56:26 下午 de.javakaffee.web.msm.BackupSessionService backupSession 详细: Starting for session id 42D24D10BD954F66552649AE54FB86D2-n1 一月 22, 2016 1:56:26 下午 de.javakaffee.web.msm.LockingStrategy onAfterBackupSession 详细: Stored session validity info for session 42D24D10BD954F66552649AE54FB86D2-n1 一月 22, 2016 1:56:26 下午 de.javakaffee.web.msm.BackupSessionTask call 详细: Starting for session id 42D24D10BD954F66552649AE54FB86D2-n1 一月 22, 2016 1:56:26 下午 de.javakaffee.web.msm.RequestTrackingHostValve logDebugRequestSessionCookie 详细: Have request session cookie: domain=null, maxAge=-1, path=null, value=42D24D10BD954F66552649AE54FB86D2-n1, version=0, secure=false 一月 22, 2016 1:56:26 下午 de.javakaffee.web.msm.BackupSessionTask call 详细: Finished for session id 42D24D10BD954F66552649AE54FB86D2-n1, returning status SKIPPED 一月 22, 2016 1:56:26 下午 de.javakaffee.web.msm.RequestTrackingHostValve invoke 详细: <<<<<< Request finished: GET /testWeb/tss?state=afterLogin ================== 一月 22, 2016 1:56:26 下午 de.javakaffee.web.msm.LockingStrategy pingSession 详细: The session was ping'ed successfully.

Some of my application code and tomcat configuration:

com.alvis.testweb.TestSessionServlet:

package com.alvis.testweb;

import java.io.IOException; import java.io.PrintWriter;

import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse;

public class TestSessionServlet extends HttpServlet{
private static final long serialVersionUID = -7083183762109600156L;

@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
    String parameter = req.getParameter("state");
    String sessionAttribute = "userProfile";
    String userlatestProfile = "{name:alvis, balance:$10000 }";
    PrintWriter writer = resp.getWriter();

    if( parameter !=null ){
        switch (parameter) {
        case "getSigninForm":
            System.out.println("----- get login form -----");
            req.getSession().setAttribute("createsession", "yes...");

            writer.println("your Signin Form");
            writer.close();
            break;
        case "postSigninForm":
            System.out.println("-----    user login   -----");

            //unbound all object in this session for some reason
            req.getSession().invalidate();

            //bind only one attribute to my new session
            System.out.println("bind only one attribute to my new session");
            req.getSession().setAttribute(sessionAttribute, userlatestProfile);

            writer.println("loginSuccess");
            writer.close();
            break;
        case "afterLogin":
            System.out.println("-----    afterLogin   -----");

            Object attribute = req.getSession().getAttribute(sessionAttribute);
            System.out.println("you profile is: " + attribute);

            writer.println("your profile info is:" + attribute);
            writer.close();
            break;

        default:
            System.out.println("----- unimplemented -----");
            break;
        }
    }
}
}

web.xml: <?xml version="1.0" encoding="UTF-8"?> <web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
testWeb index.jsp testSessionServlet com.alvis.testweb.TestSessionServlet
<servlet-mapping>
  <servlet-name>testSessionServlet</servlet-name>
  <url-pattern>/tss</url-pattern>
tomcat/conf/context.xml: <?xml version='1.0' encoding='utf-8'?>
WEB-INF/web.xml
tomcat libs: alvisqindeMacBook-Pro:tomcat alvisqin$ ls -l ../apache-tomcat-7.0.53/lib/ total 16088 -rw-r--r--@ 1 alvisqin staff 15978 3 25 2014 annotations-api.jar -rw-r--r-- 1 alvisqin staff 43398 10 19 11:14 asm-3.2.jar -rw-r--r--@ 1 alvisqin staff 53446 3 25 2014 catalina-ant.jar -rw-r--r--@ 1 alvisqin staff 132932 3 25 2014 catalina-ha.jar -rw-r--r--@ 1 alvisqin staff 255964 3 25 2014 catalina-tribes.jar -rw-r--r--@ 1 alvisqin staff 1592605 3 25 2014 catalina.jar -rw-r--r-- 1 alvisqin staff 317601 10 19 11:14 couchbase-client-1.4.0.jar -rw-r--r--@ 1 alvisqin staff 2272697 3 25 2014 ecj-P20140317-1600.jar -rw-r--r--@ 1 alvisqin staff 54453 3 25 2014 el-api.jar -rw-r--r--@ 1 alvisqin staff 123140 3 25 2014 jasper-el.jar -rw-r--r--@ 1 alvisqin staff 601168 3 25 2014 jasper.jar -rw-r--r--@ 1 alvisqin staff 87809 3 25 2014 jsp-api.jar -rw-r--r-- 1 alvisqin staff 94830 10 19 11:14 kryo-1.04.jar -rw-r--r-- 1 alvisqin staff 62112 10 19 11:14 kryo-serializers-0.11.jar -rw-r--r-- 1 alvisqin staff 147025 10 19 11:14 memcached-session-manager-1.8.3.jar -rw-r--r-- 1 alvisqin staff 11284 10 19 11:14 memcached-session-manager-tc7-1.8.3.jar -rw-r--r-- 1 alvisqin staff 4879 10 19 11:14 minlog-1.2.jar -rw-r--r-- 1 alvisqin staff 29328 10 19 11:14 msm-kryo-serializer-1.8.3.jar -rw-r--r-- 1 alvisqin staff 11615 10 19 11:14 reflectasm-1.01.jar -rw-r--r--@ 1 alvisqin staff 197876 3 25 2014 servlet-api.jar -rw-r--r-- 1 alvisqin staff 459447 10 19 11:14 spymemcached-2.11.1.jar -rw-r--r--@ 1 alvisqin staff 6143 3 25 2014 tomcat-api.jar -rw-r--r--@ 1 alvisqin staff 830468 3 25 2014 tomcat-coyote.jar -rw-r--r--@ 1 alvisqin staff 234043 3 25 2014 tomcat-dbcp.jar -rw-r--r--@ 1 alvisqin staff 71937 3 25 2014 tomcat-i18n-es.jar -rw-r--r--@ 1 alvisqin staff 43800 3 25 2014 tomcat-i18n-fr.jar -rw-r--r--@ 1 alvisqin staff 47038 3 25 2014 tomcat-i18n-ja.jar -rw-r--r--@ 1 alvisqin staff 125457 3 25 2014 tomcat-jdbc.jar -rw-r--r--@ 1 alvisqin staff 32257 3 25 2014 tomcat-util.jar -rw-r--r--@ 1 alvisqin staff 177763 3 25 2014 tomcat7-websocket.jar -rw-r--r--@ 1 alvisqin staff 36155 3 25 2014 websocket-api.jar

version: tomcat version:7.0.53 java version "1.7.0_80" Java(TM) SE Runtime Environment (build 1.7.0_80-b15) Java HotSpot(TM) 64-Bit Server VM (build 24.80-b11, mixed mode)

— Reply to this email directly or view it on GitHub https://github.com/magro/memcached-session-manager/issues/284#issuecomment-173820818 .

Alvison commented 8 years ago

Okay, I will try it today!

magro commented 8 years ago

Thanks for the PR, I've left a comment there.

Btw, was your original intent to get a new session id for the newly authenticated session, to prevent session fixation? Then this obviously isn't the case. I've not checked the related tomcat code for createSession( String sessionId ) to see if they're using the given sessionId as well or how they're handling this case. Not sure if this is relevant for you.

Alvison commented 8 years ago

Q: Btw, was your original intent to get a new session id for the newly authenticated session, to prevent session fixation? A: No. My intent is to guarantee a new session can be retrieved by the follwing request,Even if the session was created with a sessionId which has been marked invalid before I create it.

magro commented 8 years ago

Ok, fine. I'm waiting for the adjustment of the PR according to my comment, then I can make a release.

Alvison commented 8 years ago

Hi, magro ! I have push a commit according to your comment two days ago. You can check my PR : https://github.com/magro/memcached-session-manager/pull/285/files

magro / memcached-session-manager

create a session after invoke session.invalidate() then cannot get it in the next request #284