IllegalStateException for "Too many active Sessions" error on createSession(..) sometines results in empty response with HTTP 200 OK status instead of an error message. I saw this happening when tomcat trys to create session #(n+1) for a protected area with FORM based authentication and SessionManager with maxActiveSessions=n, not depending on whether StandardManager or PersistentManager is beeing used. Reproduction: 1) Add webbapps/examples/META-INF/context.xml with following content: <Context> <Manager className="org.apache.catalina.session.StandardManager" maxActiveSessions="1"> </Manager> </Context> 2) Restart Tomcat 3) Visit http://localhost:8080/examples/jsp/security/protected/ 4) Clear cookies in your browser 5) repeat step 3). Result: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Expires: Thu, 01 Jan 1970 01:00:00 CET Transfer-Encoding: chunked Date: Mon, 25 Jul 2011 13:20:56 GMT Expected Result: HTTP/1.1 500 OK Server: Apache-Coyote/1.1 [...]
Thanks for the report and the steps to reproduce the error. I have fixed this in 7.0.x and it will be included in 7.0.20 onwards.
Thank you. What I forgot to mention is, that this issue also hits Tomcat 6. Maybe you'd check older versions too.
Re-open to fix older versions
Created attachment 27316 [details] Proposed patch for Tomcat 6 v1
Created attachment 27317 [details] Proposed patch for Tomcat 5 v1
Created attachment 27318 [details] Proposed patch for Tomcat 6 v2 Removes additional fixes from patch
Created attachment 27421 [details] Proposed patch for Tomcat 5 v2 Updates patch for 5.5.x after review comments
Created attachment 27434 [details] Updated patch Addresses review comments (needed to catch Throwable in JkCoyoteHandler)
Tomcat 7.0.20 now correctly responds "HTTP/1.1 500", but I still don't get my error page configured in web.xml like this: <error-page> <error-code>500</error-code> <location>/static/error/internal.html</location> </error-page>
I've added some code to 7.0.x that will use custom error pages in this scenario. I don't intend to back-port this part of the fix to 6.0.x or 5.5.x.
The proposed patch has been applied to 5.5 and will be in 5.5.34. The example of maxActiveSessions="1" in the Description now results in a reply with HTTP status 500, whereas with 5.5.33 the status was 200. The content of the response is still empty. The patch has not been applied to 6.0 yet, so I am leaving this issue open.
The patch has been applied to 6.0.x and will be included in 6.0.34 onwards.