001
014
015 package com.liferay.portal.servlet;
016
017 import com.liferay.portal.kernel.cache.Lifecycle;
018 import com.liferay.portal.kernel.cache.ThreadLocalCacheManager;
019 import com.liferay.portal.kernel.log.Log;
020 import com.liferay.portal.kernel.log.LogFactoryUtil;
021 import com.liferay.portal.kernel.servlet.filters.compoundsessionid.CompoundSessionIdHttpSession;
022 import com.liferay.portal.kernel.servlet.filters.compoundsessionid.CompoundSessionIdSplitterUtil;
023 import com.liferay.portal.util.PropsValues;
024 import com.liferay.portal.util.WebKeys;
025
026 import java.util.concurrent.atomic.AtomicInteger;
027
028 import javax.servlet.http.HttpSession;
029 import javax.servlet.http.HttpSessionEvent;
030 import javax.servlet.http.HttpSessionListener;
031
032
035 public class PortalSessionListener implements HttpSessionListener {
036
037 @Override
038 public void sessionCreated(HttpSessionEvent httpSessionEvent) {
039 if (CompoundSessionIdSplitterUtil.hasSessionDelimiter()) {
040 CompoundSessionIdHttpSession compoundSessionIdHttpSession =
041 new CompoundSessionIdHttpSession(httpSessionEvent.getSession());
042
043 httpSessionEvent = new HttpSessionEvent(
044 compoundSessionIdHttpSession);
045 }
046
047 new PortalSessionCreator(httpSessionEvent);
048
049 HttpSession session = httpSessionEvent.getSession();
050
051 PortalSessionActivationListener.setInstance(session);
052
053 if (PropsValues.SESSION_MAX_ALLOWED > 0) {
054 if (_counter.incrementAndGet() > PropsValues.SESSION_MAX_ALLOWED) {
055 session.setAttribute(WebKeys.SESSION_MAX_ALLOWED, Boolean.TRUE);
056
057 _log.error(
058 "Exceeded maximum number of " +
059 PropsValues.SESSION_MAX_ALLOWED + " sessions " +
060 "allowed. You may be experiencing a DoS attack.");
061 }
062 }
063 }
064
065 @Override
066 public void sessionDestroyed(HttpSessionEvent httpSessionEvent) {
067 if (CompoundSessionIdSplitterUtil.hasSessionDelimiter()) {
068 CompoundSessionIdHttpSession compoundSessionIdHttpSession =
069 new CompoundSessionIdHttpSession(httpSessionEvent.getSession());
070
071 httpSessionEvent = new HttpSessionEvent(
072 compoundSessionIdHttpSession);
073 }
074
075 new PortalSessionDestroyer(httpSessionEvent);
076
077 ThreadLocalCacheManager.clearAll(Lifecycle.SESSION);
078
079 if (PropsValues.SESSION_MAX_ALLOWED > 0) {
080 _counter.decrementAndGet();
081 }
082 }
083
084 private static Log _log = LogFactoryUtil.getLog(
085 PortalSessionListener.class);
086
087 private AtomicInteger _counter = new AtomicInteger();
088
089 }