Announcement Announcement Module
Collapse
No announcement yet.
MVC's concurrent session handling & synchronizeOnSession Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • MVC's concurrent session handling & synchronizeOnSession

    Hi.

    We're using Spring 3.0.2 / Spring MVC for a web application on Tomcat 6.0.26 (on Linux) which stores search results in the user's HttpSession. The central configuration (dispatcher-servlet.xml) looks like this:

    Code:
    <mvc:annotation-driven />
    <context:component-scan base-package="com.example.web" />
    <bean class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter" p:synchronizeOnSession="true" />
    We do not have a HttpSessionMutexListener defined, so the AnnotationMethodHandlerAdapter will fallback on the HttpSession itself for synchronization.

    However, the API docs for AnnotationMethodHandlerAdapter and HttpSessionMutexListener state that "In many cases, the HttpSession reference itself is a safe mutex as well, since it will always be the same object reference for the same active logical session. However, this is not guaranteed across different servlet containers; the only 100% safe way is a session mutex." (cited from the latter link).

    Since we are experiencing some non-deterministic issues which seem to be related to session mismatch / mixups, especially during high load scenarios, e. g. when running a load test, I am currently trying to see if this might be the root cause for these problems.

    In detail, we had a (virtual) user A perform a search on the web app using search term 'a' and a concurrent user B using the term 'b' for his query. The user A got the results for the query with term 'b' - which is obviously the wrong result and a potential security issue, too.


    Do you have any experience using MVC's annotation config with AnnotationMethodHandlerAdapter and the synchronizeOnSession flag? What might be the cause and are there other options than trying to introduce a HttpSessionMutexListener in web.xml and see if the problem disappears?

    Thanks for any help and ideas.

    Cheers,
    Axel

  • #2
    ..since we are experiencing some non-deterministic issues which seem to be related to session mismatch / mixups, especially during high load scenarios, e. g. when running a load test, I am currently trying to see if this might be the root cause for these problems.
    Just a short follow-up for people finding this thread:

    It turned out that our session mixups have been caused by a race condition in handling HTTP session IDs during conversation with a third party service in the backend code (which has been concurrently invoked and shared session IDs across threads). This explains the higher error rate under load conditions.

    Session synchronization using the AnnotationMethodHandlerAdapter / synchronizeOnSession actually works fine.

    Cheers,
    Axel

    Comment

    Working...
    X