001
014
015 package com.liferay.portal.servlet;
016
017 import com.liferay.portal.kernel.cache.Lifecycle;
018 import com.liferay.portal.kernel.cache.ThreadLocalCacheManager;
019 import com.liferay.portal.kernel.log.Log;
020 import com.liferay.portal.kernel.log.LogFactoryUtil;
021 import com.liferay.portal.kernel.servlet.filters.compoundsessionid.CompoundSessionIdHttpSession;
022 import com.liferay.portal.kernel.servlet.filters.compoundsessionid.CompoundSessionIdSplitterUtil;
023 import com.liferay.portal.util.PropsValues;
024 import com.liferay.portal.util.WebKeys;
025
026 import java.util.concurrent.atomic.AtomicInteger;
027
028 import javax.servlet.http.HttpSession;
029 import javax.servlet.http.HttpSessionEvent;
030 import javax.servlet.http.HttpSessionListener;
031
032
035 public class PortalSessionListener implements HttpSessionListener {
036
037 public void sessionCreated(HttpSessionEvent httpSessionEvent) {
038 if (CompoundSessionIdSplitterUtil.hasSessionDelimiter()) {
039 CompoundSessionIdHttpSession compoundSessionIdHttpSession =
040 new CompoundSessionIdHttpSession(httpSessionEvent.getSession());
041
042 httpSessionEvent = new HttpSessionEvent(
043 compoundSessionIdHttpSession);
044 }
045
046 new PortalSessionCreator(httpSessionEvent);
047
048 HttpSession session = httpSessionEvent.getSession();
049
050 PortalSessionActivationListener.setInstance(session);
051
052 if (PropsValues.SESSION_MAX_ALLOWED > 0) {
053 if (_counter.incrementAndGet() > PropsValues.SESSION_MAX_ALLOWED) {
054 session.setAttribute(WebKeys.SESSION_MAX_ALLOWED, Boolean.TRUE);
055
056 _log.error(
057 "Exceeded maximum number of " +
058 PropsValues.SESSION_MAX_ALLOWED + " sessions " +
059 "allowed. You may be experiencing a DoS attack.");
060 }
061 }
062 }
063
064 public void sessionDestroyed(HttpSessionEvent httpSessionEvent) {
065 if (CompoundSessionIdSplitterUtil.hasSessionDelimiter()) {
066 CompoundSessionIdHttpSession compoundSessionIdHttpSession =
067 new CompoundSessionIdHttpSession(httpSessionEvent.getSession());
068
069 httpSessionEvent = new HttpSessionEvent(
070 compoundSessionIdHttpSession);
071 }
072
073 new PortalSessionDestroyer(httpSessionEvent);
074
075 ThreadLocalCacheManager.clearAll(Lifecycle.SESSION);
076
077 if (PropsValues.SESSION_MAX_ALLOWED > 0) {
078 _counter.decrementAndGet();
079 }
080 }
081
082 private static Log _log = LogFactoryUtil.getLog(
083 PortalSessionListener.class);
084
085 private AtomicInteger _counter = new AtomicInteger();
086
087 }