When session is stored in StandardManager#doUnload method, an invalid session is stored. For instance, If HttpSession#invalidate is executed while executing StandardManager#doUnload, session of "isValid=false" is stored. The session of isValid=false is restored in StandardManager#doLoad, and it registers in session map (sessions). However, no one can invalidate this session. If isValid is false, StandardSession#invalidate() and StandardSession#isValid() can not expire session. They are throws IllegalStateException or return immediately. Consequently, the session of isValid=false is never deleted from the session map(sessions). I made a patch. If session is already invalid, expire session to prevent memory leak. Best Regards. Keiichi.
Created attachment 25290 [details] If session is already invalid, expire session to prevent memory leak.
Fixed in trunk and proposed for 6.0.x.
This fix applied to 6.0, will be in 6.0.27 onwards.