Fixing memory leak, full description:

[krzysztofslusarski]

The class org.jasig.cas.client.session.HashMapBackedSessionMappingStorage contains 2 maps:

private final Map<String, HttpSession> MANAGED_SESSIONS = new HashMap<String, HttpSession>(); private final Map<String, String> ID_TO_SESSION_KEY_MAPPING = new HashMap<String, String>();

There is a part of CAS client, that listens on server events and clears that storage on session destroy. That code is in org.jasig.cas.client.session.SingleSignOutHttpSessionListener. The problem is that the public API of the javax.servlet.http.HttpServletRequest has a method (from servlet v3.1): String changeSessionId(); That method doesn't destroy a session, but changes its id. This type of action doesn't affect the maps in the HashMapBackedSessionMappingStorage. It causes memory leak, because session with changed id cannot be removed from the storage. Changing session id is the default of Spring implementation of session fixation, so the problem may be popular in the future. The default is implemented in org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy and is created as default in org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer#createDefaultSessionFixationProtectionStrategy.

Possible fix: implement listener that implements javax.servlet.http.HttpSessionIdListener that manipulates the maps in HashMapBackedSessionMappingStorage.

[Emkas]

This PR looks pretty much like this one: https://github.com/apereo/java-cas-client/pull/571

[stale[bot]]

This patch has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[Emkas]

I didn't expect a stale bot here.

[Emkas]

@mmoayyed Why this is closed without any comment?