LDEV-4901 Rewrite session invalidation mechanism On WildFly 8 session invalidation mechanism had some bugs. Marek introduced a workaround in…
Show more
LDEV-4901 Rewrite session invalidation mechanismOn WildFly 8 session invalidation mechanism had some bugs. Marekintroduced a workaround in LDEV-3413. The mechanism was adjusted inLDEV-4293, especially in this commithttps://code.lamsfoundation.org/fisheye/changelog/lams-github?cs=131ce42e64069f574a2a4a9bc1e5c4be4918e5bbNewer WildFly versions do not seem to have this bug. A part ofworkaround was removed in LDEV-4696, but invalidation mechanism stayedas if the bugs were still present. The mechanism introduced the problemwith timeouts. Now that the bugs seems to be gone, the invalidationmechanism was rewritten to a more straightforward version which shouldhave been used from the start.It is worth keeping in mind that when one user session is present andanother is being created (another browser, integration call, sysadmin'sLoginAs feature), then user gets authenticated, then old session getsinvalidated and the user gets authenticated AGAIN by WildFly usingcached credentials. Caching is so useful that we can not turn it off. Itmeans that, though, we need to keep login token generated byLoginRequestServlet for longer than just first authentication, as we getauthentication call twice. Now we keep it until it is timed out.
Show less
