Session timeout restorer can get overwritten and the original timeout value is lost

[Gekkio]

Session restorers are set in the session without checking if one exists already. This means that an old timeout value can be overwritten and the session will leak unless invalidated explicitly.

Example AtmosphereHandler (with 1 minute session timeout in web.xml):
public void onRequest(AtmosphereResource resource) throws IOException {
resource.suspend(2, TimeUnit.MINUTES);
}

Example flow that works:

• Open browser tab. Atmosphere writes a SessionTimeoutRestorer with timeout = 60s to the session and sets the real timeout to -1
• Wait
• At 1 minute the session will not be timed out because timeout=-1 (this is correct)
• Wait
• At 2 minute mark the AtmosphereResource will time out, and session restorer is removed and session timeout is set back to 60s

Example flow that doesn't work:

• Open browser tab. Atmosphere writes a SessionTimeoutRestorer with timeout = 60s to the session and sets the real timeout to -1
• Open second browser tab. Atmosphere writes a SessionTimeoutRestorer with timeout=-1 replacing the old one and thus losing the 60s timeout information
• Wait
• No timeout at 1 minute because timeout=-1 (ok)
• Wait
• At 2 minute mark both AtmosphereResources will time out. The first one removes the restorer and sets session timeout to -1.
• Session will never time out and will leak unless it is invalidated explicitly (e.g. user logs out)

The trivial fix is to not overwrite the session restorer, but I'm afraid that is not the correct fix for all restorer problems. The issue is that with multiple requests the first one will restore the timeout, and thus the session might time out while other requests are still working.

The correct fix would be to

1. Not overwrite the session restorer
2. Restore session timeout only when the last request has completed!