Websocket reliability changes #428
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In WsWriteTimeout, ConcurrentSkipListSet ordering collapses endpoints that share the same timeoutExpiry (comparator returns 0 on equal timestamps). Any concurrent async writes that pick the same millisecond expiry will drop all but one endpoint from the timeout set, so those writes never time out and can hang indefinitely. Origin checking in server/DefaultServerEndpointConfigurator.java no longer throws when the Origin header is missing; with cross-origin policy enabled it rejects missing origins cleanly and logs the reason. The connection ID stored in WebSocketConnection is a random string, but the on-close fallback lookup uses the container session ID. When the session user properties can’t be read (the scenario the fallback is meant for), the lookup always fails and the connection stays registered in the scope/manager, leaking resources and skipping disconnect notifications.
mondain
reviewed
Dec 11, 2025
| // the websocket session id will be used for hash code comparison, its the only usable value currently | ||
| //wsSessionId = session.getId(); | ||
| wsSessionId = RandomStringUtils.insecure().nextAlphabetic(11); // random 11 char string | ||
| // use the websocket session id for comparisons and lookups |
Member
There was a problem hiding this comment.
We moved away from this because its guessable due to its being monotonic. 0, 1, 2... vs random 11 char string
Member
|
Closed as the accepted adjustments are added to another branch |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Commit from kdkd fork
5adfcf8Websocket reliability changes
In WsWriteTimeout, ConcurrentSkipListSet ordering collapses endpoints that
share the same timeoutExpiry (comparator returns 0 on equal timestamps).
Any concurrent async writes that pick the same millisecond expiry will drop
all but one endpoint from the timeout set, so those writes never time out
and can hang indefinitely.
Origin checking in server/DefaultServerEndpointConfigurator.java no longer
throws when the Origin header is missing; with cross-origin policy enabled
it rejects missing origins cleanly and logs the reason.
The connection ID stored in WebSocketConnection is a random string, but the
on-close fallback lookup uses the container session ID. When the session
user properties can’t be read (the scenario the fallback is meant for), the
lookup always fails and the connection stays registered in the
scope/manager, leaking resources and skipping disconnect notifications.