1316949 – Active-sessions can exceed property MAX_ACTIVE_SESSIONS

Bug 1316949 - Active-sessions can exceed property MAX_ACTIVE_SESSIONS

Summary: Active-sessions can exceed property MAX_ACTIVE_SESSIONS

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Web
Sub Component:
Version:	6.4.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Enrique Gonzalez Martinez
QA Contact:	Radim Hatlapatka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-03-11 14:02 UTC by Michael Cada
Modified:	2016-03-21 07:07 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2016-03-21 07:07:31 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)
Simple web app for session counting (2.66 KB, application/zip) 2016-03-11 14:02 UTC, Michael Cada	no flags	Details
Simple web app for session counting (2.78 KB, application/zip) 2016-03-11 14:36 UTC, Michael Cada	no flags	Details
patch 7.5.x (998 bytes, patch) 2016-03-15 08:57 UTC, Enrique Gonzalez Martinez	no flags	Details \| Diff
Show Obsolete (1) View All

Description Michael Cada 2016-03-11 14:02:26 UTC

Created attachment 1135254 [details]
Simple web app for session counting

Description of problem:

If you start EAP with org.apache.catalina.session.StandardManager.MAX_ACTIVE_SESSIONS set and then create sessions in parallel, you can exceed this limit.


How reproducible: 90%


Steps to Reproduce:
1. Start EAP with:
      ./standalone.sh -Dorg.apache.catalina.session.StandardManager.MAX_ACTIVE_SESSIONS=3
2. Deploy attached application something.war 
3. Connect to jboss-cli and check web resource status for something.war:
      /deployment=something.war/subsystem=web:read-resource(include-runtime=true)
4. Open more sessions than MAX_ACTIVE_SESSIONS (I tried it with 16) in parallel on URL:
      http://localhost:8080/something/SessionAccessCounter
5. Check web resource status again

Actual results:
There can be more active-sessions than you set with property MAX_ACTIVE_SESSIONS


Expected results:
All sessions over MAX_ACTIVE_SESSIONS limit are rejected

Comment 1 Michael Cada 2016-03-11 14:36:30 UTC

Created attachment 1135260 [details]
Simple web app for session counting

Comment 2 Enrique Gonzalez Martinez 2016-03-15 08:33:05 UTC

It is a race condition in the StandardManager class

when the session is created, the manager tries to calculate the number of active sessions

https://source.jboss.org/browse/JBossWeb/branches/7.5.x/src/main/java/org/apache/catalina/session/StandardManager.java?hb=true#to295

and after that it creates the session adding it to the session map
https://source.jboss.org/browse/JBossWeb/branches/7.5.x/src/main/java/org/apache/catalina/session/StandardManager.java?hb=true#to300

This is the cause of the race condition. this makes possible to create more sessions that the property MAX_ACTIVE_SESSIONS

Comment 3 Enrique Gonzalez Martinez 2016-03-15 08:57:33 UTC

Created attachment 1136458 [details]
patch 7.5.x

guarding the concurrent block for avoiding the race condition.

Note You need to log in before you can comment on or make changes to this bug.