Bug 56339 - session listener invalidate session
Summary: session listener invalidate session
Alias: None
Product: Tomcat 7
Classification: Unclassified
Component: Servlet & JSP API (show other bugs)
Version: 7.0.47
Hardware: PC Linux
: P2 blocker (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2014-04-02 08:56 UTC by Soner Sivri
Modified: 2014-04-04 21:25 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Soner Sivri 2014-04-02 08:56:46 UTC
we have sessionlistener
in sessionDestroyed method we call session.invalidate()
in version 7.0.42 its ok but newer versions loops code

public void sessionDestroyed(HttpSessionEvent arg0) {
		if(arg0 !=null && arg0.getSession() !=null)
			HttpSession session = arg0.getSession();
			String sessionId = session.getId();
			if(sessionId != null)
				UserPrincipal userPrincipal = (UserPrincipal)session.getAttribute(ContextVar.USERPRINCIPLE);
				if (userPrincipal != null)
					UserOpBLO userOpBLO = new UserOpBLO(new ResourcePool());
					userOpBLO.processLogoutActivity(sessionId, userPrincipal.getUserId());
Comment 1 Christopher Schultz 2014-04-02 19:53:09 UTC
Why would you call session.invalidate() from SessionListener.sessionDestroyed? It's already in the process of being invalidated.
Comment 2 Soner Sivri 2014-04-02 20:01:22 UTC
The code is old code 
My Friend who wrote the code said there was A problem why he put it. He did not remember the problem.
I understood that you said remove session.invalidate()
Comment 3 Mark Thomas 2014-04-04 21:04:55 UTC
There should be no need to call session.invalidate() from the session destroyed event. However, entering an infinite loop if application code does do this is far from ideal.

This is a side-effect of the fix for bug 55521. I'll look into a fix.
Comment 4 Mark Thomas 2014-04-04 21:25:37 UTC
This has been fixed in 8.0.x for 8.0.6 onwards and in 7.0.x 7.0.54 onwards.