From a28a59be89a0cc626a13664679a8cffa82d9924c Mon Sep 17 00:00:00 2001
From: Jan Bartel <janb@webtide.com>
Date: Thu, 19 May 2016 16:30:39 +1000
Subject: [PATCH] Sessions expire if now is >= calculated expiry

---
 .../eclipse/jetty/server/session/SessionData.java    |  3 +--
 .../AbstractSessionInvalidateAndCreateTest.java      | 12 +++++-------
 2 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/session/SessionData.java b/jetty-server/src/main/java/org/eclipse/jetty/server/session/SessionData.java
index 2b47aaf0d16..152e1a980c3 100644
--- a/jetty-server/src/main/java/org/eclipse/jetty/server/session/SessionData.java
+++ b/jetty-server/src/main/java/org/eclipse/jetty/server/session/SessionData.java
@@ -354,8 +354,7 @@ public class SessionData implements Serializable
             LOG.debug("Testing expiry on session {}: Never expires? {} Is expired?{}", _id, (getExpiry()<= 0), (getExpiry() < time));
         if (getExpiry() <= 0)
             return false; //never expires
-        
-        return (getExpiry() < time);
+        return (getExpiry() <= time);
     }
     
     /** 
diff --git a/tests/test-sessions/test-sessions-common/src/main/java/org/eclipse/jetty/server/session/AbstractSessionInvalidateAndCreateTest.java b/tests/test-sessions/test-sessions-common/src/main/java/org/eclipse/jetty/server/session/AbstractSessionInvalidateAndCreateTest.java
index b36ea739f54..52e12b27ac1 100644
--- a/tests/test-sessions/test-sessions-common/src/main/java/org/eclipse/jetty/server/session/AbstractSessionInvalidateAndCreateTest.java
+++ b/tests/test-sessions/test-sessions-common/src/main/java/org/eclipse/jetty/server/session/AbstractSessionInvalidateAndCreateTest.java
@@ -57,7 +57,7 @@ public abstract class AbstractSessionInvalidateAndCreateTest
 {
     public class MySessionListener implements HttpSessionListener
     {
-        List<Integer> destroys;
+        List<Integer> destroys = new ArrayList<>();
 
         public void sessionCreated(HttpSessionEvent e)
         {
@@ -66,9 +66,6 @@ public abstract class AbstractSessionInvalidateAndCreateTest
 
         public void sessionDestroyed(HttpSessionEvent e)
         {
-            if (destroys == null)
-                destroys = new ArrayList<>();
-
             destroys.add(e.getSession().hashCode());
         }
     }
@@ -129,9 +126,9 @@ public abstract class AbstractSessionInvalidateAndCreateTest
                 request2.header("Cookie", sessionCookie);
                 ContentResponse response2 = request2.send();
                 assertEquals(HttpServletResponse.SC_OK,response2.getStatus());
-         
+
                 // Wait for the scavenger to run
-                pause(inactivePeriod+scavengePeriod);
+                pause(inactivePeriod+(2*scavengePeriod));
 
                 //test that the session created in the last test is scavenged:
                 //the HttpSessionListener should have been called when session1 was invalidated and session2 was scavenged
@@ -186,6 +183,7 @@ public abstract class AbstractSessionInvalidateAndCreateTest
             {
                 HttpSession session = request.getSession(true);
                 session.setAttribute("identity", "session1");
+                session.setMaxInactiveInterval(-1); //don't let this session expire, we want to explicitly invalidate it
             }
             else if ("test".equals(action))
             {
@@ -196,7 +194,7 @@ public abstract class AbstractSessionInvalidateAndCreateTest
 
                     //invalidate existing session
                     session.invalidate();
-                    
+
                     //now try to access the invalid session
                     try
                     {