OpenMRS Open Sessions

Our team is in the midst of upgrading from OpenMRS 1.7.x to 1.12.x, and we noticed a strange behavior.

  1.  Start OpenMRS
  2.  Login as admin
  3.  Go to the Administration page
  4.  Stop application server (Tomcat)
  5.  Start OpenMRS
  6.  Go directly to the Administration page
  7.  No login is required to view the Administration page

We were always required to log in again after a Tomcat restart in OpenMRS 1.7.x. Is this considered a security vulnerability since the session is not destroyed?

We’re also concerned this may lead to other session-related issues.

Thanks, Steve McKee

I think I have seen this happen before but was unable to reproduce it. Would be nice if one could look into how to consistently reproduce it

It occurs for me every time I perform the steps provided.

I have been loading the admin page URL as soon as I click the “Start” button on Tomcat. This might be the key.

Turns out it’s a feature of Tomcat 7. It’s set to enable session persistence by default, and here’s a link to disable it:

OpenMRS must have made use of this feature somewhere between 1.7 and 1.12


Thanks @sjmckee for sharing your findings. Would you consider this to be a bug in OpenMRS?

FWIW, it happened with this ticket: Hence started from 1.8.4 and above when UserContext implemented the Serializable interface. That is because when the server is configured to persist sessions on restarts, it will persist only those objects that implement the Serializable. Therefore this explains why the same tomcat configurations could not lead to what you reported until when you upgraded.

Implementing Serializable is good in general. Some application servers require that any object stored in session (and its references) implements Serializable.

No, I would not consider this an OpenMRS bug. Thanks for the information on the serialization referenced in TRUNK-3327.