Commit Graph

12 Commits

Author SHA1 Message Date
Rob Winch
d96c8f2ce5 Clarify Redis expirations and cleanup task 2015-01-08 10:29:07 -06:00
Rob Winch
5847801a32 RedisSessionExpirationPolicy.cleanExpiredSessions does not delete performs get
The Problem:

The background task that cleans up sessions can incorrectly remove a
session due to a race condition.

Assume an existing session with the id "1" exists and will expire at
1420656360000. This means our redis store has the following:

spring:session:expirations:1420656360000 -> [1]
spring:session:session:1 -> <session>
Consider the following sequence:

* Thread 1 requests Session 1 and determines it should be forcibly deleted
up at 1420656420000
* Thread 2 requests Session 2 and determines it should be forcibly deleted
one minute later at 1420656480000
* Thread 2 removes Session 1 from 1420656360000, so it will no longer be
forcibly deleted at that time

spring:session:expirations:1420656360000 -> []
spring:session:session:1 -> <session>

* Thread 2 adds Session 1 to 1420656480000

spring:session:expirations:1420656360000 -> []
spring:session:session:1 -> <session>
spring:session:expirations:1420656480000 -> [1]

* Thread 1 removes Session 1 (which was already removed) from 1420656360000 (the original expiration)

spring:session:expirations:1420656360000 -> []
spring:session:session:1 -> <session>
spring:session:expirations:1420656480000 -> [1]

* Thread 1 adds Session 1 to 1420656420000

spring:session:expirations:1420656360000 -> []
spring:session:session:1 -> <session>
spring:session:expirations:1420656480000 -> [1]
spring:session:expirations:1420656420000 -> [1]

Now the session is mapped to be forcibly deleted in two locations.
However, at most it will be cleaned up in one location. This means that the
session will be forcibly deleted even if the session is continued to be
used.

Fixing the Issue:

Instead of deleting the session, we should have the background task access
the key which will only forcibly delete the key if it is expired. This mean
s that a session could at earliest be deleted when the value in the
datastore indicates.

This still means that a session can be deleted too soon since the
incorrect TTL may be set on a key. However, at worst this is the the
longest HTTP request length. Short of using distributed locking there
isn't a good answer to get exact consistency.

Fixes gh-93
2015-01-07 14:39:10 -06:00
Rob Winch
1eca2bc0ad Add Basic REST documentation to reference 2015-01-06 16:16:18 -06:00
Rob Winch
f619cef67a Remove Maven from referece documentation
Save details like Maven documentation for the in-depth guides.
2015-01-06 15:36:19 -06:00
Rob Winch
090d106376 Polish docs 2015-01-06 13:46:36 -06:00
Rob Winch
8acaed750a Polish doc 2015-01-05 16:13:18 -06:00
Rob Winch
79569f5a6f Polish doc 2015-01-05 16:12:45 -06:00
Rob Winch
ed28eab835 Added link to Javadoc in reference
Issue gh-41
2015-01-05 15:37:49 -06:00
Rob Winch
37572113c3 Fix links to samples
Issues gh-41
2015-01-05 15:33:57 -06:00
Rob Winch
f4b87b7ae7 Include Time Unit for ExpiringSession maxinactiveInterval
Fixes gh-82
2015-01-05 14:10:04 -06:00
Rob Winch
cd85c647ff Add REST Sample
Issue gh-41
2015-01-05 12:56:57 -06:00
Rob Winch
64a0312bf7 Start Documentation
Issue gh-41
2014-12-23 17:26:27 -06:00