spring-session icon indicating copy to clipboard operation
spring-session copied to clipboard
verified publisher icon spring-projects

An "IllegalStateException: Session was invalidated" - exception is thrown after session was already invalidated

Open stefan-g opened this issue 1 year ago • 1 comments

I have a /logout rest endpoint that invalidates a session by using HttpSession#invalidate(). Sometimes (10 out of 1000 requests) the following IllegalStateException is thrown.

java.lang.IllegalStateException: Session was invalidated
	at org.springframework.session.data.redis.RedisSessionRepository.save(RedisSessionRepository.java:122)
	at org.springframework.session.data.redis.RedisSessionRepository.save(RedisSessionRepository.java:42)
	at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.commitSession(SessionRepositoryFilter.java:227)
	at org.springframework.session.web.http.SessionRepositoryFilter.doFilterInternal(SessionRepositoryFilter.java:145)
	at org.springframework.session.web.http.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:82)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:352)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:268)
			2 lines skipped for [org.apache.catalina]
	at org.springframework.web.filter.ServerHttpObservationFilter.doFilterInternal(ServerHttpObservationFilter.java:109)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
			2 lines skipped for [org.apache.catalina]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
			2 lines skipped for [org.apache.catalina]
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
			17 lines skipped for [org.apache.catalina, org.apache.tomcat, org.apache.coyote]
	at java.base/java.lang.Thread.run(Thread.java:840)

The exception occurs in combination with spring cloud gateway (netflix). It's seems that the way spring cloud gateway is forwarding the request causes some troubles in this case.

The used components are spring boot 3.2.3, spring cloud dependencies 2023.0.0, Redisson

I found a similar case here https://github.com/spring-projects/spring-security/pull/9128#issuecomment-984972101 but there it is related to spring security.

The exception can be reproduced by the following demo app (tested on windows 11). check readme.md for details.

stefan-g avatar Mar 20 '24 09:03 stefan-g

I'm having this same error in spring boot 3.3.2 but not with spring cloud but spring session redis backed by AWS serverless redis. I don't really understand it, and it seems like an invalidated session should be handled by default without throwing errors?

This seems related to #1277 possibly?

petervanwylen avatar Aug 13 '24 20:08 petervanwylen