You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by JOSE L MARTINEZ-AVIAL <jl...@gmail.com> on 2015/05/18 23:41:54 UTC

Change of HttpSession causes java.lang.IllegalStateException: HttpSession is invalid

Hello,
    We have a struts2 project. In that project we have a security procedure
in order to log in the users. As part of the login process, the session is
destroyed and recreated once the user is logged in, in order to avoid
Session hijacking. The problem we are having is that the action finally
returns a JSP, and that JSP has a OGNL reference to the session as follows:

<s:if test="#session[@com.spb.mvc.util.Constants@ATRB_SESSION_USER] != null
">

   It seems that the reference #session points to the previous version, as
we are getting errors as follows:

ERROR org.apache.struts2.dispatcher.Dispatcher  - Exception occurred during
processing request: HttpSession is invalid
java.lang.IllegalStateException: HttpSession is invalid
        at
weblogic.servlet.internal.session.SessionData.getAttributeNames(SessionData.java:476)
        at
org.apache.struts2.dispatcher.SessionMap.entrySet(SessionMap.java:111)
        at java.util.AbstractMap.hashCode(AbstractMap.java:492)
        at java.util.Objects.hashCode(Objects.java:96)
        at java.util.HashMap$Entry.hashCode(HashMap.java:847)
        at java.util.AbstractMap.hashCode(AbstractMap.java:494)
        at ognl.OgnlContext.hashCode(OgnlContext.java:707)
        at java.lang.Object.toString(Object.java:237)
        at java.lang.String.valueOf(String.java:2847)
        at java.lang.StringBuilder.append(StringBuilder.java:128)



Is there some way we can force the stack to refresh the reference to the
session?

  thanks

JL

Re: Change of HttpSession causes java.lang.IllegalStateException: HttpSession is invalid

Posted by Christoph Nenning <Ch...@lex-com.net>.

Your interceptor can use the static method:
ActionContext.setSession(Map<String, Object> session)

Have a look at CreateSessionInterceptor to see how the map parameter can 
be created.


When your own interceptor is placed before ServletConfigInterceptor in 
stack it will affect SessionAware.



Regrads,
Christoph



> 
> Hello Christoph,
>    Apart from the issue with static access to
> @com.spb.mvc.util.Constants@ATRB_SESSION_USER, is there no way to update
> the reference to the session across the whole framework? Because we are
> having the same issue with SessionAware if the session is 
destroyed/created
> in one of the interceptors. What I would like to do is be able to inject
> the reference to the new session in the interceptor, and have it 
replaced
> the old one across the whole framework. Any suggestions?
> 
> JL
> 
> 2015-05-19 3:17 GMT-04:00 Christoph Nenning 
<Ch...@lex-com.net>:
> 
> > >
> > > Hello,
> > >     We have a struts2 project. In that project we have a security
> > procedure
> > > in order to log in the users. As part of the login process, the 
session
> > is
> > > destroyed and recreated once the user is logged in, in order to 
avoid
> > > Session hijacking. The problem we are having is that the action 
finally
> > > returns a JSP, and that JSP has a OGNL reference to the session as
> > follows:
> > >
> > > <s:if test="#session[@com.spb.mvc.util.Constants@ATRB_SESSION_USER] 
!=
> > null
> > > ">
> > >
> > >    It seems that the reference #session points to the previous 
version,
> > as
> > > we are getting errors as follows:
> > >
> > > ERROR org.apache.struts2.dispatcher.Dispatcher  - Exception occurred
> > during
> > > processing request: HttpSession is invalid
> > > java.lang.IllegalStateException: HttpSession is invalid
> > >         at
> > > weblogic.servlet.internal.session.SessionData.getAttributeNames
> > > (SessionData.java:476)
> > >         at
> > > 
org.apache.struts2.dispatcher.SessionMap.entrySet(SessionMap.java:111)
> > >         at java.util.AbstractMap.hashCode(AbstractMap.java:492)
> > >         at java.util.Objects.hashCode(Objects.java:96)
> > >         at java.util.HashMap$Entry.hashCode(HashMap.java:847)
> > >         at java.util.AbstractMap.hashCode(AbstractMap.java:494)
> > >         at ognl.OgnlContext.hashCode(OgnlContext.java:707)
> > >         at java.lang.Object.toString(Object.java:237)
> > >         at java.lang.String.valueOf(String.java:2847)
> > >         at java.lang.StringBuilder.append(StringBuilder.java:128)
> > >
> > >
> > >
> > > Is there some way we can force the stack to refresh the reference to 
the
> > > session?
> > >
> > >   thanks
> > >
> > > JL
> >
> >
> >
> > A simple workaround would be to store session as member of action and
> > access this reference via ognl.
> >
> >
> > And please note that it is recommended to not use statics via ognl due 
to
> > security issues.
> >
> >
> >
> > Regards,
> > Christoph
> >
> > This Email was scanned by Sophos Anti Virus
> >

This Email was scanned by Sophos Anti Virus

Re: Change of HttpSession causes java.lang.IllegalStateException: HttpSession is invalid

Posted by JOSE L MARTINEZ-AVIAL <jl...@gmail.com>.

Hello Christoph,
   Apart from the issue with static access to
@com.spb.mvc.util.Constants@ATRB_SESSION_USER, is there no way to update
the reference to the session across the whole framework? Because we are
having the same issue with SessionAware if the session is destroyed/created
in one of the interceptors. What I would like to do is be able to inject
the reference to the new session in the interceptor, and have it replaced
the old one across the whole framework. Any suggestions?

JL

2015-05-19 3:17 GMT-04:00 Christoph Nenning <Ch...@lex-com.net>:

> >
> > Hello,
> >     We have a struts2 project. In that project we have a security
> procedure
> > in order to log in the users. As part of the login process, the session
> is
> > destroyed and recreated once the user is logged in, in order to avoid
> > Session hijacking. The problem we are having is that the action finally
> > returns a JSP, and that JSP has a OGNL reference to the session as
> follows:
> >
> > <s:if test="#session[@com.spb.mvc.util.Constants@ATRB_SESSION_USER] !=
> null
> > ">
> >
> >    It seems that the reference #session points to the previous version,
> as
> > we are getting errors as follows:
> >
> > ERROR org.apache.struts2.dispatcher.Dispatcher  - Exception occurred
> during
> > processing request: HttpSession is invalid
> > java.lang.IllegalStateException: HttpSession is invalid
> >         at
> > weblogic.servlet.internal.session.SessionData.getAttributeNames
> > (SessionData.java:476)
> >         at
> > org.apache.struts2.dispatcher.SessionMap.entrySet(SessionMap.java:111)
> >         at java.util.AbstractMap.hashCode(AbstractMap.java:492)
> >         at java.util.Objects.hashCode(Objects.java:96)
> >         at java.util.HashMap$Entry.hashCode(HashMap.java:847)
> >         at java.util.AbstractMap.hashCode(AbstractMap.java:494)
> >         at ognl.OgnlContext.hashCode(OgnlContext.java:707)
> >         at java.lang.Object.toString(Object.java:237)
> >         at java.lang.String.valueOf(String.java:2847)
> >         at java.lang.StringBuilder.append(StringBuilder.java:128)
> >
> >
> >
> > Is there some way we can force the stack to refresh the reference to the
> > session?
> >
> >   thanks
> >
> > JL
>
>
>
> A simple workaround would be to store session as member of action and
> access this reference via ognl.
>
>
> And please note that it is recommended to not use statics via ognl due to
> security issues.
>
>
>
> Regards,
> Christoph
>
> This Email was scanned by Sophos Anti Virus
>

Re: Change of HttpSession causes java.lang.IllegalStateException: HttpSession is invalid

Posted by Christoph Nenning <Ch...@lex-com.net>.

> 
> Hello,
>     We have a struts2 project. In that project we have a security 
procedure
> in order to log in the users. As part of the login process, the session 
is
> destroyed and recreated once the user is logged in, in order to avoid
> Session hijacking. The problem we are having is that the action finally
> returns a JSP, and that JSP has a OGNL reference to the session as 
follows:
> 
> <s:if test="#session[@com.spb.mvc.util.Constants@ATRB_SESSION_USER] != 
null
> ">
> 
>    It seems that the reference #session points to the previous version, 
as
> we are getting errors as follows:
> 
> ERROR org.apache.struts2.dispatcher.Dispatcher  - Exception occurred 
during
> processing request: HttpSession is invalid
> java.lang.IllegalStateException: HttpSession is invalid
>         at
> weblogic.servlet.internal.session.SessionData.getAttributeNames
> (SessionData.java:476)
>         at
> org.apache.struts2.dispatcher.SessionMap.entrySet(SessionMap.java:111)
>         at java.util.AbstractMap.hashCode(AbstractMap.java:492)
>         at java.util.Objects.hashCode(Objects.java:96)
>         at java.util.HashMap$Entry.hashCode(HashMap.java:847)
>         at java.util.AbstractMap.hashCode(AbstractMap.java:494)
>         at ognl.OgnlContext.hashCode(OgnlContext.java:707)
>         at java.lang.Object.toString(Object.java:237)
>         at java.lang.String.valueOf(String.java:2847)
>         at java.lang.StringBuilder.append(StringBuilder.java:128)
> 
> 
> 
> Is there some way we can force the stack to refresh the reference to the
> session?
> 
>   thanks
> 
> JL



A simple workaround would be to store session as member of action and 
access this reference via ognl.


And please note that it is recommended to not use statics via ognl due to 
security issues.



Regards,
Christoph

This Email was scanned by Sophos Anti Virus