InMemoryWebSessionStore Leaks Memory [SPR-15963]

[spring-projects-issues]

Rob Winch opened SPR-15963 and commented

InMemoryWebSessionStore leaks expired sessions. There is code in DefaultWebSessionManger that cleans up an expired session but only if the user makes a request with that expired session. This means that if a user creates a session and just closes the browser tab without logging out, the session is never deleted.

Another problem is that relying on DefaultWebSessionManger to clean up the expired session is leaking implementation details. If someone wrote their own WebSessionManager and did not clean up the expired sessions within it, the problem would be even worse.

I think it would be better if InMemoryWebSessionStore knew how to clean up its own sessions (both the ones that are accessed and the ones that are never accessed again).

---

Affects: 5.0 RC4

Issue Links:

• InMemoryWebSessionStore could leak memory if sessions created but never used [SPR-17020] #21558 InMemoryWebSessionStore could leak memory if sessions created but never used

Referenced from: commits ec5969c, cb2decc, 6da3518

[spring-projects-issues]

adrienleroy commented

We are facing a similar issue. Session are created but users never reuse the session id. So in InMemoryWebSessionStore we never go through the retrieveSession method and sessions are keeped and never cleaned up. I think that InMemoryWebSessionStore should not rely on session's creation/retrieval etc... to clean up its own sessions.

[spring-projects-issues]

Rossen Stoyanchev commented

This ticket cannot be re-opened because the fix has been released. You need to create a new ticket with a fresh description relative to the way it works currently. There was 3 commits as part of this ticket to address the issue and currently InMemoryWebSessionStore does check periodically and cleans up sessions.