magro
requestUriIgnorePattern causes multiple unwanted new sessions
Versions: Java 1.8.0_191, Tomcat 8.5.30, Jedis 2.9.0, Redis 5.0, mcm 2.3.2
With the below in context.xml, and with Tomcat serving everything (including static files), when I request my application's home page, I see in the logs one new session created per 'ignore', which causes sessions to be lost, and my application doesn't work as expected:
<Manager className="de.javakaffee.web.msm.MemcachedBackupSessionManager"
memcachedNodes="redis://localhost"
sticky="false"
sessionBackupAsync="false"
lockingMode="none"
requestUriIgnorePattern=".*\.(ico|png|gif|jpg|css|js|woff)$"
/>
25-Jan-2019 10:00:29.706 FINE [http-nio-8081-exec-1] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Request starting: GET / (requestedSessionId null) ==================
25-Jan-2019 10:00:42.736 FINE [http-nio-8081-exec-1] de.javakaffee.web.msm.MemcachedSessionService.createSession Created new session with id DB693BE3EBB48516131B9BA9A22FF232
25-Jan-2019 10:00:42.869 FINE [http-nio-8081-exec-1] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Request finished: GET / ==================
25-Jan-2019 10:00:43.408 FINE [http-nio-8081-exec-3] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Request starting: GET /servlet/xxx/site-dispatcher (requestedSessionId DB693BE3EBB48516131B9BA9A22FF232) ==================
25-Jan-2019 10:00:43.610 FINE [http-nio-8081-exec-3] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Request finished: GET /servlet/xxx/site-dispatcher ==================
25-Jan-2019 10:00:43.616 FINE [http-nio-8081-exec-4] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Request starting: GET /servlet/xxx/pageLayout (requestedSessionId DB693BE3EBB48516131B9BA9A22FF232) ==================
25-Jan-2019 10:00:43.639 FINE [http-nio-8081-exec-4] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Request finished: GET /servlet/xxx/pageLayout ==================
25-Jan-2019 10:00:43.646 FINE [http-nio-8081-exec-5] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Request starting: GET /servlet/xxx/login?target=%2Fservlet%2Fxxx%2FpageLayout (requestedSessionId DB693BE3EBB48516131B9BA9A22FF232) ==================
25-Jan-2019 10:00:43.880 FINE [http-nio-8081-exec-5] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Request finished: GET /servlet/xxx/login?target=%2Fservlet%2Fxxx%2FpageLayout ==================
25-Jan-2019 10:00:43.900 FINE [http-nio-8081-exec-6] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Ignoring: GET /xx/xxxxxx/login/css/login.css (requestedSessionId DB693BE3EBB48516131B9BA9A22FF232) ==================
25-Jan-2019 10:00:43.901 FINE [http-nio-8081-exec-6] de.javakaffee.web.msm.MemcachedSessionService.createSession Created new session with id 7E3BCA8B66303C9A036E4C7070B696AD
25-Jan-2019 10:00:43.902 FINE [http-nio-8081-exec-6] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Ignored: GET /xx/xxxxxx/login/css/login.css ==================
25-Jan-2019 10:00:43.905 FINE [http-nio-8081-exec-7] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Ignoring: GET /xx/xxxxxx/javascript/jQuery/jquery-1.12.4.min.js (requestedSessionId DB693BE3EBB48516131B9BA9A22FF232) ==================
25-Jan-2019 10:00:43.906 FINE [http-nio-8081-exec-7] de.javakaffee.web.msm.MemcachedSessionService.createSession Created new session with id A7D8C5014DDEF90A9235BA66153595BA
25-Jan-2019 10:00:43.906 FINE [http-nio-8081-exec-7] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Ignored: GET /xx/xxxxxx/javascript/jQuery/jquery-1.12.4.min.js ==================
25-Jan-2019 10:00:44.236 FINE [http-nio-8081-exec-8] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Ignoring: GET /xx/xxxxxx/login/images/man-hands-working-technology.jpg (requestedSessionId A7D8C5014DDEF90A9235BA66153595BA) ==================
25-Jan-2019 10:00:44.237 FINE [http-nio-8081-exec-8] de.javakaffee.web.msm.MemcachedSessionService.createSession Created new session with id DFAF47A85719DD161A3DEF71C73F3F0D
25-Jan-2019 10:00:44.238 FINE [http-nio-8081-exec-9] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Ignoring: GET /xx/xxxxxx/login/images/[email protected] (requestedSessionId A7D8C5014DDEF90A9235BA66153595BA) ==================
25-Jan-2019 10:00:44.238 FINE [http-nio-8081-exec-8] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Ignored: GET /xx/xxxxxx/login/images/man-hands-working-technology.jpg ==================
25-Jan-2019 10:00:44.238 FINE [http-nio-8081-exec-10] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Ignoring: GET /xx/xxxxxx/styles_core/font/open-sans/OpenSans-Regular-webfont.woff (requestedSessionId A7D8C5014DDEF90A9235BA66153595BA) ==================
25-Jan-2019 10:00:44.238 FINE [http-nio-8081-exec-9] de.javakaffee.web.msm.MemcachedSessionService.createSession Created new session with id ADF993B587903561D38A67F56B41BDB4
25-Jan-2019 10:00:44.239 FINE [http-nio-8081-exec-9] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Ignored: GET /xx/xxxxxx/login/images/[email protected] ==================
25-Jan-2019 10:00:44.239 FINE [http-nio-8081-exec-10] de.javakaffee.web.msm.MemcachedSessionService.createSession Created new session with id E9E8C2C1319D077D1C7134C771AA2840
25-Jan-2019 10:00:44.239 FINE [http-nio-8081-exec-10] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Ignored: GET /xx/xxxxxx/styles_core/font/open-sans/OpenSans-Regular-webfont.woff ==================
This is unexpected behaviour. I would expect exactly one new session to be created in total, not one new session per ignored static file.
If I then remove the requestUriIgnorePattern attribute, leaving my context.xml as follows:
<Manager className="de.javakaffee.web.msm.MemcachedBackupSessionManager"
memcachedNodes="redis://localhost"
sticky="false"
sessionBackupAsync="false"
lockingMode="none"
/>
Then I see exactly one new session created as expected, and my application works as expected:
25-Jan-2019 09:54:38.627 FINE [http-nio-8081-exec-10] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Request starting: GET / (requestedSessionId null) ==================
25-Jan-2019 09:54:38.629 FINE [http-nio-8081-exec-10] de.javakaffee.web.msm.MemcachedSessionService.createSession Created new session with id 88FBBB43BCF0131E37129779977B4608
25-Jan-2019 09:54:38.644 FINE [http-nio-8081-exec-10] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Request finished: GET / ==================
25-Jan-2019 09:54:38.977 FINE [http-nio-8081-exec-6] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Request starting: GET /servlet/xxx/site-dispatcher (requestedSessionId 88FBBB43BCF0131E37129779977B4608) ==================
25-Jan-2019 09:54:39.021 FINE [http-nio-8081-exec-6] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Request finished: GET /servlet/xxx/site-dispatcher ==================
25-Jan-2019 09:54:39.028 FINE [http-nio-8081-exec-4] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Request starting: GET /servlet/xxx/pageLayout (requestedSessionId 88FBBB43BCF0131E37129779977B4608) ==================
25-Jan-2019 09:54:39.038 FINE [http-nio-8081-exec-4] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Request finished: GET /servlet/xxx/pageLayout ==================
25-Jan-2019 09:54:39.043 FINE [http-nio-8081-exec-3] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Request starting: GET /servlet/xxx/login?target=%2Fservlet%2Fxxx%2FpageLayout (requestedSessionId 88FBBB43BCF0131E37129779977B4608) ==================
25-Jan-2019 09:54:39.104 FINE [http-nio-8081-exec-3] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Request finished: GET /servlet/xxx/login?target=%2Fservlet%2Fxxx%2FpageLayout ==================
25-Jan-2019 09:54:39.119 FINE [http-nio-8081-exec-5] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Request starting: GET /xx/xxxxxx/login/css/login.css (requestedSessionId 88FBBB43BCF0131E37129779977B4608) ==================
25-Jan-2019 09:54:39.123 FINE [http-nio-8081-exec-2] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Request starting: GET /xx/xxxxxx/javascript/jQuery/jquery-1.12.4.min.js (requestedSessionId 88FBBB43BCF0131E37129779977B4608) ==================
25-Jan-2019 09:54:39.126 FINE [http-nio-8081-exec-2] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Request finished: GET /xx/xxxxxx/javascript/jQuery/jquery-1.12.4.min.js ==================
25-Jan-2019 09:54:39.130 FINE [http-nio-8081-exec-5] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Request finished: GET /xx/xxxxxx/login/css/login.css ==================
25-Jan-2019 09:54:39.409 FINE [http-nio-8081-exec-7] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Request starting: GET /xx/xxxxxx/login/images/man-hands-working-technology.jpg (requestedSessionId 88FBBB43BCF0131E37129779977B4608) ==================
25-Jan-2019 09:54:39.411 FINE [http-nio-8081-exec-8] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Request starting: GET /xx/xxxxxx/styles_core/font/open-sans/OpenSans-Regular-webfont.woff (requestedSessionId 88FBBB43BCF0131E37129779977B4608) ==================
25-Jan-2019 09:54:39.412 FINE [http-nio-8081-exec-1] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Request starting: GET /xx/xxxxxx/login/images/[email protected] (requestedSessionId 88FBBB43BCF0131E37129779977B4608) ==================
25-Jan-2019 09:54:39.418 FINE [http-nio-8081-exec-8] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Request finished: GET /xx/xxxxxx/styles_core/font/open-sans/OpenSans-Regular-webfont.woff ==================
25-Jan-2019 09:54:39.422 FINE [http-nio-8081-exec-1] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Request finished: GET /xx/xxxxxx/login/images/[email protected] ==================
25-Jan-2019 09:54:39.425 FINE [http-nio-8081-exec-7] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Request finished: GET /xx/xxxxxx/login/images/man-hands-working-technology.jpg ==================
Sorry, I never found a solution. I simply haven't been using requestUriIgnorePattern.
Sorry, I never found a solution. I simply haven't been using
requestUriIgnorePattern.
Thank you all the same,i done it with you.
We are facing the exact same problem, kept the same jars for tomcat 8 and tomcat 8.5, the problem was coming only for 8.5.
Thanks for bringing this to notice, if not for this open issue, we wouldn't have figured out where things were going wrong.
Thanks for this ticket, we had the same problem and after trying tons of different things, we finally found this ticket. We are running Tomcat/7.0.68 with an AWS Ehcache Memcached instance with memcached-session-manager-2.3.2.jar
Billapepper, could you try tomcat 8.0, that might solve your problem. Although requesturi pattern would as well. Just checking the pattern .
we'll be upgrading tomcat later this year, perhaps then I will be able to test again on the newer version
We also ran into this problem when upgrading our MSM library and it took an absurd amount of time to understand what was going on. Here's an explanation of what happened in our case, which I hope might save other people the pain we went through.
According to the memcached session manager documentation, there is a parameter requestUriIgnorePattern.
This attribute contains a regular expression for request URIs, that shall not trigger a session backup. If static resources like css, javascript, images etc. are delivered by the same tomcat and the same web application context these requests will also pass the memcached-session-manager. However, as these requests should not change anything in a http session, they should also not trigger a session backup. So you should check if any static resources are delivered by tomcat and in this case you should exclude them by using this attribute. The requestUriIgnorePattern must follow the java regex Pattern.
What the documentation fails to mention is that if a request matches the requestUriIgnorePattern, not only will the session not be backed up, but it will also not be accessible. This was not the case in the older version of the library we were using (1.8.3) and seems to have been changed around 1.9.0 or 1.9.1.
This change in behavior has a very nasty side effect when coupled with the Spring Security Remember Me code. On each request, Spring Security will check to see if the user has a session - if they don’t, it will check to see if they have a remember me cookie. If they both do not have a session and do have a remember me cookie, Spring Security will say - “hey - I know who this user is. I’m going to create a session for them.” This is where the problem arises.
On a request to a static file which matches the requestUriIgnorePattern, Memcached would refuse to return the user’s session. As a result, Spring Security thinks the user doesn’t have a session - and thus, creates one. And that’s how you get a new session on every request to a static resource.
The solution seems to be that the Spring Security needs to be aligned with this requestUriIgnorePattern parameter. We disabled security on URLs for static resources, so Spring Security will not run on the requests where the session cannot be retrieved, resolving the problem.
