001
014
015 package com.liferay.portal.servlet;
016
017 import com.liferay.portal.kernel.cache.Lifecycle;
018 import com.liferay.portal.kernel.cache.ThreadLocalCacheManager;
019 import com.liferay.portal.kernel.log.Log;
020 import com.liferay.portal.kernel.log.LogFactoryUtil;
021 import com.liferay.portal.kernel.servlet.filters.compoundsessionid.CompoundSessionIdHttpSession;
022 import com.liferay.portal.kernel.servlet.filters.compoundsessionid.CompoundSessionIdSplitterUtil;
023 import com.liferay.portal.util.PropsValues;
024 import com.liferay.portal.util.WebKeys;
025
026 import java.util.concurrent.atomic.AtomicInteger;
027
028 import javax.servlet.http.HttpSession;
029 import javax.servlet.http.HttpSessionEvent;
030 import javax.servlet.http.HttpSessionListener;
031
032
035 public class PortalSessionListener implements HttpSessionListener {
036
037 public void sessionCreated(HttpSessionEvent httpSessionEvent) {
038 if (CompoundSessionIdSplitterUtil.hasSessionDelimiter()) {
039 CompoundSessionIdHttpSession compoundSessionIdHttpSession =
040 new CompoundSessionIdHttpSession(httpSessionEvent.getSession());
041
042 httpSessionEvent = new HttpSessionEvent(
043 compoundSessionIdHttpSession);
044 }
045
046 new PortalSessionCreator(httpSessionEvent);
047
048 HttpSession session = httpSessionEvent.getSession();
049
050 session.setAttribute(
051 PortalSessionActivationListener.class.getName(),
052 PortalSessionActivationListener.getInstance());
053
054 if (PropsValues.SESSION_MAX_ALLOWED > 0) {
055 if (_counter.incrementAndGet() > PropsValues.SESSION_MAX_ALLOWED) {
056 session.setAttribute(WebKeys.SESSION_MAX_ALLOWED, Boolean.TRUE);
057
058 _log.error(
059 "Exceeded maximum number of " +
060 PropsValues.SESSION_MAX_ALLOWED + " sessions " +
061 "allowed. You may be experiencing a DoS attack.");
062 }
063 }
064 }
065
066 public void sessionDestroyed(HttpSessionEvent httpSessionEvent) {
067 if (CompoundSessionIdSplitterUtil.hasSessionDelimiter()) {
068 CompoundSessionIdHttpSession compoundSessionIdHttpSession =
069 new CompoundSessionIdHttpSession(httpSessionEvent.getSession());
070
071 httpSessionEvent = new HttpSessionEvent(
072 compoundSessionIdHttpSession);
073 }
074
075 new PortalSessionDestroyer(httpSessionEvent);
076
077 ThreadLocalCacheManager.clearAll(Lifecycle.SESSION);
078
079 if (PropsValues.SESSION_MAX_ALLOWED > 0) {
080 _counter.decrementAndGet();
081 }
082 }
083
084 private static Log _log = LogFactoryUtil.getLog(
085 PortalSessionListener.class);
086
087 private AtomicInteger _counter = new AtomicInteger();
088
089 }