Within a web application, you often need a state to create a session lifecycle. You may create a CDI named been with session scope, to keep track of some user data. Suppose, you have a JSF application. Assigned to your pages you might use named beans with request scope. If you need some session-wide info, you can use CDI:

@inject SessionBean mySessionBean

I moved an application which ran without known problems on GlassFish 3 to GlassFish 4. Everything worked fine, as long as I tested the app for myself. But using this app concurrent with other users, sometimes the app showed me a session timeout, could not restore a conversation or, in one case, showed me data of a concurrent user. It seemed, a SessionBean object of a different user had been injected to the request bean assigned to my request.

This issue might be in context with a memory leak of GlassFish in conjunction with Weld (CDI) [1]. I didn’t check, whether this is a real cause, or if there is a different issue with the CDI implementation, but updating Weld to version 2.0.5 solved the problem. Or exactly: Since this update I could not reproduce this problem.

Usually, updating a module for GlassFish 4 is quite easy:

  1. Stop GlassFish domain
  2. Replace the module (jar file) in GlassFishHome/glassfish/modules
  3. Restart GlassFish domain

As the time of writing, you may also update JSF to version 2.2.5.

Because some posts exists for updating special modules (Weld [2], JSF [3]), I only described the general procedure for updating a module. And never forget to double-check whether your your updated environment is working as expected before going productive.

[1] https://java.net/jira/browse/GLASSFISH-20928
[2] http://delabassee.com/blog/?p=286
[3] https://weblogs.java.net/blog/mriem/archive/2013/10/29/jsf-tip-29-update-your-jsf-version-glassfish

Read my Tutorial web development (with JSF).

Update: I recognized, [2] is not available sometimes. Try Weld Download at [4]

[4] http://weld.cdi-spec.org/download/