Affects Version/s: 4.3.2
Fix Version/s: None
Note: this issue is particularly prevalent with read-only user providers such as the LdapUserProvider, but the following contrived example shows how this can occur with the DefaultUserProvider:
Steps to reproduce:
- With Openfire configured to use the DefaultUserProvider, create a user "testuser"
- Login as "testuser"
- Using direct SQL (e.g. with the DB Access plugin) delete the user directly from the database:
DELETE FROM ofUser WHERE username = 'testuser'.
This is to simulate a user being removed from an independent UserProvider, e.g. if LDAPUserProvider is in use and the user is removed from LDAP.
- The user session is deleted.
- The user session remains until Openfire is restarted even though the user account no longer exists. Other indications that the user is present (e.g. private storage entries, user properties) will remain indefinitely.