Our team is in the midst of upgrading from OpenMRS 1.7.x to 1.12.x, and we noticed a strange behavior.
Start OpenMRS
Login as admin
Go to the Administration page
Stop application server (Tomcat)
Start OpenMRS
Go directly to the Administration page
No login is required to view the Administration page
We were always required to log in again after a Tomcat restart in OpenMRS 1.7.x. Is this considered a security vulnerability since the session is not destroyed?
We’re also concerned this may lead to other session-related issues.
FWIW, it happened with this ticket: https://issues.openmrs.org/browse/TRUNK-3327
Hence started from 1.8.4 and above when UserContext implemented the Serializable interface.
That is because when the server is configured to persist sessions on restarts, it will persist only those objects that implement the Serializable. Therefore this explains why the same tomcat configurations could not lead to what you reported until when you upgraded.
Implementing Serializable is good in general. Some application servers require that any object stored in session (and its references) implements Serializable.