Skip to content

SEC-2980: Possible race condition in SessionRegistryImpl #3189

New issue
New issue
Closed
Closed
SEC-2980: Possible race condition in SessionRegistryImpl#3189
Assignees
rwinch
Labels
in: coreAn issue in spring-security-corestatus: backportedAn issue that has been backported to maintenance branchestype: bugA general bugtype: jiraAn issue that was migrated from JIRA
Milestone
5.2.0.RC1
@spring-projects-issues

Description

@spring-projects-issues
spring-projects-issues
opened on May 18, 2015

Selene Feigl (Migrated from SEC-2980) said:

Hello,

there is a possible race condition in SessionRegistryImpl when handling the principals map (principal -> session id)

  • A principal P has one Session S1 in its set
  • Thread A wants to add S2 to the same principal (calling registerNewSession)
  • Thread A checks whether there is already a Set for principal P and gets a reference to the set containing S1
  • Thread B wants to remove S1 (calling removeSessionInformation)
  • Thread B obtains set from principal map and removes S1 from the Set
  • Thread B checks wheter the Set is empty - it is - as Thread A did not add S2 yet - and removes it from the Map
  • Thread A adds S2 to the non-referenced Set

Result: principals does not contain S2 as it should. If the session registry is used to limit number of sessions per user, the limit is not enforced. If a Spring application uses the SessionRegistry for other things, they won't work as expected. (listing all logged in users etc.)

Metadata

Metadata

Assignees

Labels

in: coreAn issue in spring-security-corestatus: backportedAn issue that has been backported to maintenance branchestype: bugA general bugtype: jiraAn issue that was migrated from JIRA

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions