root
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Actions 6 Packages Projects Releases Wiki Activity

Allow update of existing WebSession after max sessions limit is reached 

Previously, when saving a WebSession, the system did not check whether
the session ID already existed. As a result, even if the session being
saved was an update to an existing one, it was incorrectly treated as a
new session, and a "maximum sessions exceeded" error was triggered.

This fix ensures that if a WebSession with the same ID already exists,
it will be updated rather than counted as a new session, thereby
preventing unnecessary session limit violations.

See gh-35013
Closes gh-35018

Signed-off-by: Mohammad Saeed Nouri <msnsaeed71@gmail.com>
(cherry picked from commit c04902fefb)
This commit is contained in:
Mohammad Saeed Nouri 2025-06-08 15:44:06 +03:30 committed by Sam Brannen
parent 59d2895c82
commit cd44efaf68
2 changed files with 21 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
spring-web/src/main/java/org/springframework/web/server/session/InMemoryWebSessionStore.java
View File

@ -280,7 +280,7 @@ public class InMemoryWebSessionStore implements WebSessionStore {
private void checkMaxSessionsLimit() {
if (sessions.size() >= maxSessions) {
expiredSessionChecker.removeExpiredSessions(clock.instant());
if (sessions.size() >= maxSessions) {
if (sessions.size() >= maxSessions && !sessions.containsKey(this.getId())) {
throw new IllegalStateException("Max sessions limit reached: " + sessions.size());
}
}

20
spring-web/src/test/java/org/springframework/web/server/session/InMemoryWebSessionStoreTests.java
View File

@ -23,6 +23,7 @@ import java.util.stream.IntStream;
import org.junit.jupiter.api.Test;
import reactor.core.scheduler.Schedulers;
import reactor.test.StepVerifier;
import org.springframework.beans.DirectFieldAccessor;
import org.springframework.web.server.WebSession;
@ -157,6 +158,25 @@ class InMemoryWebSessionStoreTests {
.withMessage("Max sessions limit reached: 10");
}
@Test
void updateSession() {
WebSession oneWebSession = insertSession();
StepVerifier.create(oneWebSession.save())
.expectComplete()
.verify();
}
@Test
void updateSession_whenMaxSessionsReached() {
WebSession onceWebSession = insertSession();
IntStream.range(1, 10000).forEach(i -> insertSession());
StepVerifier.create(onceWebSession.save())
.expectComplete()
.verify();
}
private WebSession insertSession() {
WebSession session = this.store.createWebSession().block();