You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The getSession method in WebFilter.RequestWrapper does not respect the boolean create parameter. As you can see, the parameter is not used anywhere in the method:
The javadoc for javax.servlet.http.HttpServletRequest#getSession(boolean) describes the expected behavior:
create - true to create a new session for this request if necessary; false to return null if there's no current session
Why is this a problem?
For most request, our software does not require a session, so we make sure to only call getSession(true) when the authentication requires a session. In all other cases we require correct Servlet-spec behavior for getSession(false). Hazelcast is now forcing a new session to be created with every request, which causes massive amounts of sessions that are not needed. All these sessions drain resources and cause server to slow down, even break.
The text was updated successfully, but these errors were encountered:
Following issue has been created by @nkrijnen
Original Link : hazelcast/hazelcast#8549
The getSession method in WebFilter.RequestWrapper does not respect the boolean create parameter. As you can see, the parameter is not used anywhere in the method:
https://github.com/hazelcast/hazelcast/blob/v3.6.3/hazelcast-wm/src/main/java/com/hazelcast/web/WebFilter.java#L460
We are currently using Hazelcast version 3.6.3.
This piece of code is identical in the latest master:
https://github.com/hazelcast/hazelcast-wm/blob/master/src/main/java/com/hazelcast/web/WebFilter.java#L473
Expected behavior
The javadoc for javax.servlet.http.HttpServletRequest#getSession(boolean) describes the expected behavior:
Why is this a problem?
For most request, our software does not require a session, so we make sure to only call getSession(true) when the authentication requires a session. In all other cases we require correct Servlet-spec behavior for getSession(false). Hazelcast is now forcing a new session to be created with every request, which causes massive amounts of sessions that are not needed. All these sessions drain resources and cause server to slow down, even break.
The text was updated successfully, but these errors were encountered: