Spring session not retaining unexpired session

[veereshwaran]

Hi
Recently I upgraded spring boot version 1.x to 2.1. In my project I am using spring session with redis + spring OAuth2.

Previous spring session version was
org.springframework.session:spring-session:1.3.3.RELEASE

New spring session version is
org.springframework.session:spring-session-data-redis:2.1.2.RELEASE

In my application, for any valid HTTP request with Session Cookie, it creates the new session.

• In old version of spring session, it will retain the previous session until it expires
• In new version of spring session, it will delete the previous session and it creates new session.

Here my problem is,
In my application, receives two HTTP request with same session cookie receives 1-5 millisecond time different,
For first request, it will successfully processed. but second request, it will throw the following error

Caused by: io.lettuce.core.RedisCommandExecutionException: ERR no such key

Could you anyone give proper solution to this issue?

[vpavic]

Thanks for the report @veereshwaran - could you by any chance provide a sample app that we could use to reproduce the problem? We also have a similar issue reported in #1270.

[veereshwaran]

Hi @vpavic
I have uploaded sample application to reproduce this issue

Can you refer below git repo?
https://github.com/veereshwaran/client-application

On html page I am calling two API's to SSO server

/user/whoami
/user
If I set spring.session.store-type=none
200 Ok Status received for above two API calls

So, My client application properly renders the user-details properly

If I set spring.session.store-type=redis
First API ("/whoami") gives 200 OK status

Second API ("/user") gives 500 Error with following error message
{ "timestamp": "2019-01-16T11:41:33.357+0000", "status": 500, "error": "Internal Server Error", "message": "Error in execution; nested exception is io.lettuce.core.RedisCommandExecutionException: ERR no such key", "path": "/user" }
So my application not rendering user-detail

[veereshwaran]

I think following code block may cause this issue

spring-session/spring-session-data-redis/src/main/java/org/springframework/session/data/redis/RedisOperationsSessionRepository.java

Line 826 in f00a1b9

saveChangeSessionId(sessionId);

In previous version 1.3

spring-session/spring-session/src/main/java/org/springframework/session/data/redis/RedisOperationsSessionRepository.java

Lines 764 to 769 in 3db2e13

	private void saveDelta() {
	if (this.delta.isEmpty()) {
	return;
	}
	String sessionId = getId();
	getSessionBoundHashOperations(sessionId).putAll(this.delta);

Here It will keep the previous session

I have configured HttpSecurity
http..sessionManagement().sessionFixation().none();

But it is not working.

[vpavic]

Thanks for following up and providing details @veereshwaran - I'll try to take a closer look at this soon.

[vpavic]

I was able to reproduce the problem using your sample @veereshwaran, but the sample itself is far from a minimal one, and doesn't reproduce the problem easily enough to get a clearer picture of what's going on. It appears that the error is caused by concurrent requests attempting to change session id.

[vpavic]

Since the underlying issue appears to be the same as in #1270, I'm going to close this one as duplicate. Please track that issue and post further info there.

[vpavic]

Duplicate of #1270