|Summary:||Illegal context class loader is used when HttpSessionListener is executed.|
|Product:||Tomcat 6||Reporter:||Keiichi Fujino <fujino.keiichi>|
|Component:||Catalina||Assignee:||Tomcat Developers Mailing List <dev>|
Description Keiichi Fujino 2009-09-01 01:58:42 UTC
When HttpSessionListener is executed, illegal class loader is set to the context classLoader. I think that the problem is in CoyoteAdapter#parseSessionCookiesId method. JSESSION COOKIE is parsed in this method, and sessionId is set to the request. To check sessionId, Request#isRequestedSessionIdValid method is called in this method. And, Session#isValid() might be called in Request#isRequestedSessionIdValid method. However, the context class loader of a current thread is StandardClassLoader. It is not WebappClassLoader. For instance, When the session has already passed session-timeout, Session#expire is executed. At this time, the context class loader of the thread that executes HttpSessionListenner#sessionDestroyed is StanderdClassLoader. This is not good. The context class loader of the thread that executes HttpSessionListenner should be WebAppClassLoader. Best regards.
Comment 1 Mark Thomas 2009-12-14 15:03:43 UTC
This has been fixed in trunk and proposed for 6.0.x. Thanks for the report.
Comment 2 Mark Thomas 2010-01-14 02:04:05 UTC
The patch has been applied to 6.0.x and will be included in 6.0.23 onwards.
Comment 3 Keiichi Fujino 2010-04-02 06:14:10 UTC
I reopned this bug. This is not fixed against 5.5.x. therefore, proposed for 5.5.x.
Comment 4 Keiichi Fujino 2010-04-09 07:50:26 UTC
This fix applied to 5.5, will be in 5.5.30 onwards.