search

spring-projects / spring-session

Spring Session
https://spring.io/projects/spring-session
Apache License 2.0
1.86k stars 1.11k forks source link

An "IllegalStateException: Session was invalidated" - exception is thrown after session was already invalidated #2893

Open stefan-g opened 6 months ago

stefan-g commented 6 months ago

I have a /logout rest endpoint that invalidates a session by using HttpSession#invalidate(). Sometimes (10 out of 1000 requests) the following IllegalStateException is thrown.

java.lang.IllegalStateException: Session was invalidated
    at org.springframework.session.data.redis.RedisSessionRepository.save(RedisSessionRepository.java:122)
    at org.springframework.session.data.redis.RedisSessionRepository.save(RedisSessionRepository.java:42)
    at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.commitSession(SessionRepositoryFilter.java:227)
    at org.springframework.session.web.http.SessionRepositoryFilter.doFilterInternal(SessionRepositoryFilter.java:145)
    at org.springframework.session.web.http.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:82)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:352)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:268)
            2 lines skipped for [org.apache.catalina]
    at org.springframework.web.filter.ServerHttpObservationFilter.doFilterInternal(ServerHttpObservationFilter.java:109)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
            2 lines skipped for [org.apache.catalina]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
            2 lines skipped for [org.apache.catalina]
    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
            17 lines skipped for [org.apache.catalina, org.apache.tomcat, org.apache.coyote]
    at java.base/java.lang.Thread.run(Thread.java:840)

The exception occurs in combination with spring cloud gateway (netflix). It's seems that the way spring cloud gateway is forwarding the request causes some troubles in this case.

The used components are spring boot 3.2.3, spring cloud dependencies 2023.0.0, Redisson

I found a similar case here https://github.com/spring-projects/spring-security/pull/9128#issuecomment-984972101 but there it is related to spring security.

The exception can be reproduced by the following demo app (tested on windows 11). check readme.md for details.

petervanwylen commented 1 month ago

I'm having this same error in spring boot 3.3.2 but not with spring cloud but spring session redis backed by AWS serverless redis. I don't really understand it, and it seems like an invalidated session should be handled by default without throwing errors?

This seems related to #1277 possibly?