Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

requestUriIgnorePattern causes multiple unwanted new sessions

See original GitHub issue

Versions: Java 1.8.0_191, Tomcat 8.5.30, Jedis 2.9.0, Redis 5.0, mcm 2.3.2

With the below in context.xml, and with Tomcat serving everything (including static files), when I request my application’s home page, I see in the logs one new session created per ‘ignore’, which causes sessions to be lost, and my application doesn’t work as expected:

    <Manager className="de.javakaffee.web.msm.MemcachedBackupSessionManager"
      memcachedNodes="redis://localhost"
      sticky="false"
      sessionBackupAsync="false"
      lockingMode="none"
      requestUriIgnorePattern=".*\.(ico|png|gif|jpg|css|js|woff)$"
    />

25-Jan-2019 10:00:29.706 FINE [http-nio-8081-exec-1] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Request starting: GET / (requestedSessionId null) ==================
25-Jan-2019 10:00:42.736 FINE [http-nio-8081-exec-1] de.javakaffee.web.msm.MemcachedSessionService.createSession Created new session with id DB693BE3EBB48516131B9BA9A22FF232
25-Jan-2019 10:00:42.869 FINE [http-nio-8081-exec-1] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Request finished: GET / ==================
25-Jan-2019 10:00:43.408 FINE [http-nio-8081-exec-3] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Request starting: GET /servlet/xxx/site-dispatcher (requestedSessionId DB693BE3EBB48516131B9BA9A22FF232) ==================
25-Jan-2019 10:00:43.610 FINE [http-nio-8081-exec-3] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Request finished: GET /servlet/xxx/site-dispatcher ==================
25-Jan-2019 10:00:43.616 FINE [http-nio-8081-exec-4] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Request starting: GET /servlet/xxx/pageLayout (requestedSessionId DB693BE3EBB48516131B9BA9A22FF232) ==================
25-Jan-2019 10:00:43.639 FINE [http-nio-8081-exec-4] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Request finished: GET /servlet/xxx/pageLayout ==================
25-Jan-2019 10:00:43.646 FINE [http-nio-8081-exec-5] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Request starting: GET /servlet/xxx/login?target=%2Fservlet%2Fxxx%2FpageLayout (requestedSessionId DB693BE3EBB48516131B9BA9A22FF232) ==================
25-Jan-2019 10:00:43.880 FINE [http-nio-8081-exec-5] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Request finished: GET /servlet/xxx/login?target=%2Fservlet%2Fxxx%2FpageLayout ==================
25-Jan-2019 10:00:43.900 FINE [http-nio-8081-exec-6] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Ignoring: GET /xx/xxxxxx/login/css/login.css (requestedSessionId DB693BE3EBB48516131B9BA9A22FF232) ==================
25-Jan-2019 10:00:43.901 FINE [http-nio-8081-exec-6] de.javakaffee.web.msm.MemcachedSessionService.createSession Created new session with id 7E3BCA8B66303C9A036E4C7070B696AD
25-Jan-2019 10:00:43.902 FINE [http-nio-8081-exec-6] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Ignored: GET /xx/xxxxxx/login/css/login.css ==================
25-Jan-2019 10:00:43.905 FINE [http-nio-8081-exec-7] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Ignoring: GET /xx/xxxxxx/javascript/jQuery/jquery-1.12.4.min.js (requestedSessionId DB693BE3EBB48516131B9BA9A22FF232) ==================
25-Jan-2019 10:00:43.906 FINE [http-nio-8081-exec-7] de.javakaffee.web.msm.MemcachedSessionService.createSession Created new session with id A7D8C5014DDEF90A9235BA66153595BA
25-Jan-2019 10:00:43.906 FINE [http-nio-8081-exec-7] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Ignored: GET /xx/xxxxxx/javascript/jQuery/jquery-1.12.4.min.js ==================
25-Jan-2019 10:00:44.236 FINE [http-nio-8081-exec-8] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Ignoring: GET /xx/xxxxxx/login/images/man-hands-working-technology.jpg (requestedSessionId A7D8C5014DDEF90A9235BA66153595BA) ==================
25-Jan-2019 10:00:44.237 FINE [http-nio-8081-exec-8] de.javakaffee.web.msm.MemcachedSessionService.createSession Created new session with id DFAF47A85719DD161A3DEF71C73F3F0D
25-Jan-2019 10:00:44.238 FINE [http-nio-8081-exec-9] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Ignoring: GET /xx/xxxxxx/login/images/logo@2x.png (requestedSessionId A7D8C5014DDEF90A9235BA66153595BA) ==================
25-Jan-2019 10:00:44.238 FINE [http-nio-8081-exec-8] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Ignored: GET /xx/xxxxxx/login/images/man-hands-working-technology.jpg ==================
25-Jan-2019 10:00:44.238 FINE [http-nio-8081-exec-10] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Ignoring: GET /xx/xxxxxx/styles_core/font/open-sans/OpenSans-Regular-webfont.woff (requestedSessionId A7D8C5014DDEF90A9235BA66153595BA) ==================
25-Jan-2019 10:00:44.238 FINE [http-nio-8081-exec-9] de.javakaffee.web.msm.MemcachedSessionService.createSession Created new session with id ADF993B587903561D38A67F56B41BDB4
25-Jan-2019 10:00:44.239 FINE [http-nio-8081-exec-9] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Ignored: GET /xx/xxxxxx/login/images/logo@2x.png ==================
25-Jan-2019 10:00:44.239 FINE [http-nio-8081-exec-10] de.javakaffee.web.msm.MemcachedSessionService.createSession Created new session with id E9E8C2C1319D077D1C7134C771AA2840
25-Jan-2019 10:00:44.239 FINE [http-nio-8081-exec-10] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Ignored: GET /xx/xxxxxx/styles_core/font/open-sans/OpenSans-Regular-webfont.woff ==================

This is unexpected behaviour. I would expect exactly one new session to be created in total, not one new session per ignored static file.

If I then remove the requestUriIgnorePattern attribute, leaving my context.xml as follows:

    <Manager className="de.javakaffee.web.msm.MemcachedBackupSessionManager"
      memcachedNodes="redis://localhost"
      sticky="false"
      sessionBackupAsync="false"
      lockingMode="none"
    />

Then I see exactly one new session created as expected, and my application works as expected:

25-Jan-2019 09:54:38.627 FINE [http-nio-8081-exec-10] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Request starting: GET / (requestedSessionId null) ==================
25-Jan-2019 09:54:38.629 FINE [http-nio-8081-exec-10] de.javakaffee.web.msm.MemcachedSessionService.createSession Created new session with id 88FBBB43BCF0131E37129779977B4608
25-Jan-2019 09:54:38.644 FINE [http-nio-8081-exec-10] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Request finished: GET / ==================
25-Jan-2019 09:54:38.977 FINE [http-nio-8081-exec-6] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Request starting: GET /servlet/xxx/site-dispatcher (requestedSessionId 88FBBB43BCF0131E37129779977B4608) ==================
25-Jan-2019 09:54:39.021 FINE [http-nio-8081-exec-6] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Request finished: GET /servlet/xxx/site-dispatcher ==================
25-Jan-2019 09:54:39.028 FINE [http-nio-8081-exec-4] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Request starting: GET /servlet/xxx/pageLayout (requestedSessionId 88FBBB43BCF0131E37129779977B4608) ==================
25-Jan-2019 09:54:39.038 FINE [http-nio-8081-exec-4] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Request finished: GET /servlet/xxx/pageLayout ==================
25-Jan-2019 09:54:39.043 FINE [http-nio-8081-exec-3] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Request starting: GET /servlet/xxx/login?target=%2Fservlet%2Fxxx%2FpageLayout (requestedSessionId 88FBBB43BCF0131E37129779977B4608) ==================
25-Jan-2019 09:54:39.104 FINE [http-nio-8081-exec-3] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Request finished: GET /servlet/xxx/login?target=%2Fservlet%2Fxxx%2FpageLayout ==================
25-Jan-2019 09:54:39.119 FINE [http-nio-8081-exec-5] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Request starting: GET /xx/xxxxxx/login/css/login.css (requestedSessionId 88FBBB43BCF0131E37129779977B4608) ==================
25-Jan-2019 09:54:39.123 FINE [http-nio-8081-exec-2] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Request starting: GET /xx/xxxxxx/javascript/jQuery/jquery-1.12.4.min.js (requestedSessionId 88FBBB43BCF0131E37129779977B4608) ==================
25-Jan-2019 09:54:39.126 FINE [http-nio-8081-exec-2] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Request finished: GET /xx/xxxxxx/javascript/jQuery/jquery-1.12.4.min.js ==================
25-Jan-2019 09:54:39.130 FINE [http-nio-8081-exec-5] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Request finished: GET /xx/xxxxxx/login/css/login.css ==================
25-Jan-2019 09:54:39.409 FINE [http-nio-8081-exec-7] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Request starting: GET /xx/xxxxxx/login/images/man-hands-working-technology.jpg (requestedSessionId 88FBBB43BCF0131E37129779977B4608) ==================
25-Jan-2019 09:54:39.411 FINE [http-nio-8081-exec-8] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Request starting: GET /xx/xxxxxx/styles_core/font/open-sans/OpenSans-Regular-webfont.woff (requestedSessionId 88FBBB43BCF0131E37129779977B4608) ==================
25-Jan-2019 09:54:39.412 FINE [http-nio-8081-exec-1] de.javakaffee.web.msm.RequestTrackingHostValve.invoke >>>>>> Request starting: GET /xx/xxxxxx/login/images/logo@2x.png (requestedSessionId 88FBBB43BCF0131E37129779977B4608) ==================
25-Jan-2019 09:54:39.418 FINE [http-nio-8081-exec-8] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Request finished: GET /xx/xxxxxx/styles_core/font/open-sans/OpenSans-Regular-webfont.woff ==================
25-Jan-2019 09:54:39.422 FINE [http-nio-8081-exec-1] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Request finished: GET /xx/xxxxxx/login/images/logo@2x.png ==================
25-Jan-2019 09:54:39.425 FINE [http-nio-8081-exec-7] de.javakaffee.web.msm.RequestTrackingHostValve.invoke <<<<<< Request finished: GET /xx/xxxxxx/login/images/man-hands-working-technology.jpg ==================

Issue Analytics

State:
Created 5 years ago
Comments:8

Top GitHub Comments

1reaction

emrldwpncommented, Jul 12, 2020

We also ran into this problem when upgrading our MSM library and it took an absurd amount of time to understand what was going on. Here’s an explanation of what happened in our case, which I hope might save other people the pain we went through.

According to the memcached session manager documentation, there is a parameter requestUriIgnorePattern.

This attribute contains a regular expression for request URIs, that shall not trigger a session backup. If static resources like css, javascript, images etc. are delivered by the same tomcat and the same web application context these requests will also pass the memcached-session-manager. However, as these requests should not change anything in a http session, they should also not trigger a session backup. So you should check if any static resources are delivered by tomcat and in this case you should exclude them by using this attribute. The requestUriIgnorePattern must follow the java regex Pattern.

What the documentation fails to mention is that if a request matches the requestUriIgnorePattern, not only will the session not be backed up, but it will also not be accessible. This was not the case in the older version of the library we were using (1.8.3) and seems to have been changed around 1.9.0 or 1.9.1.

This change in behavior has a very nasty side effect when coupled with the Spring Security Remember Me code. On each request, Spring Security will check to see if the user has a session - if they don’t, it will check to see if they have a remember me cookie. If they both do not have a session and do have a remember me cookie, Spring Security will say - “hey - I know who this user is. I’m going to create a session for them.” This is where the problem arises.

On a request to a static file which matches the requestUriIgnorePattern, Memcached would refuse to return the user’s session. As a result, Spring Security thinks the user doesn’t have a session - and thus, creates one. And that’s how you get a new session on every request to a static resource.

The solution seems to be that the Spring Security needs to be aligned with this requestUriIgnorePattern parameter. We disabled security on URLs for static resources, so Spring Security will not run on the requests where the session cannot be retrieved, resolving the problem.

1reaction

billapeppercommented, Jul 9, 2020

Thanks for this ticket, we had the same problem and after trying tons of different things, we finally found this ticket. We are running Tomcat/7.0.68 with an AWS Ehcache Memcached instance with memcached-session-manager-2.3.2.jar

Top Results From Across the Web

Trying to setup msm - Google Groups

to memcached-session-manager. Hi I'm trying to setup msm 1.3.0 on a two-node cluster, but can't get it to work. I'm using Tomcat 6.0.26-3~bpo50+1...

Session being lost after multiple (cancelled) POST requests

According to this SO question the session data is locked until (usually) the scripts finishes execution. This causes multiple requests to pile up...

memcached-session-manager - SetupAndConfiguration.wiki

Specifies the locking strategy for non-sticky sessions. Session locking is useful to prevent concurrent modifications and lost updates of the session in the ......

Apache Tomcat 8 Configuration Reference (8.5.84)

If it is not included, a default Manager configuration will be created ... When the limit is reached, any attempt to create a...

[JAVA] The guy who replicates sessions with tomcat

What should I do with session information when autoscaling a Java web ... is called in a request that matches requestUriIgnorePattern, it is...