Bug 47774

Summary: Illegal context class loader is used when HttpSessionListener is executed.
Product: Tomcat 6 Reporter: Keiichi Fujino <fujino.keiichi>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Severity: normal    
Priority: P2    
Version: 6.0.20   
Target Milestone: default   
Hardware: All   
OS: All   

Description Keiichi Fujino 2009-09-01 01:58:42 UTC
When HttpSessionListener is executed, illegal class loader is set to the context classLoader.

I think that the problem is in CoyoteAdapter#parseSessionCookiesId method. 
JSESSION COOKIE is parsed in this method, and sessionId is set to the request. 

To check sessionId, Request#isRequestedSessionIdValid method is called in this method. 
And, Session#isValid() might be called in Request#isRequestedSessionIdValid method. 
However, the context class loader of a current thread is StandardClassLoader. 
It is not WebappClassLoader. 

For instance,
When the session has already passed session-timeout, 
Session#expire is executed.
At this time, the context class loader of the thread that executes HttpSessionListenner#sessionDestroyed is StanderdClassLoader. 
This is not good. 
The context class loader of the thread that executes HttpSessionListenner should be WebAppClassLoader. 

Best regards.
Comment 1 Mark Thomas 2009-12-14 15:03:43 UTC
This has been fixed in trunk and proposed for 6.0.x.

Thanks for the report.
Comment 2 Mark Thomas 2010-01-14 02:04:05 UTC
The patch has been applied to 6.0.x and will be included in 6.0.23 onwards.
Comment 3 Keiichi Fujino 2010-04-02 06:14:10 UTC
I reopned this bug.
This is not fixed against 5.5.x.
therefore, proposed for 5.5.x.
Comment 4 Keiichi Fujino 2010-04-09 07:50:26 UTC
This fix applied to 5.5, will be in 5.5.30 onwards.