tomcat 4 sessions - invalidate() does not seem to work

[Ja...@clev.frb.org]

This is a followup post to my previous message, based on further
exploration. I've dug into the Tomcat sourcecode (latest stable release
now), and still don't understand the problem I'm having with sessions.

If I logon to my application and create a session, then logoff and
invalidate the session, then logon again, I seem to be getting a session
with old data. I am now adding a User object to the session at logon, so
the first logon creates this User object and calls setAttribute(user).
Then, at logoff, I do session.invalidate().

So I would expect this call to fail at the next logon (after the session is
invalid):

      HttpSession session = request.getSession(true);       // gives me a
SessionFacade

      if (session.getAttribute(Constants.USER_KEY) != null) {     //
session should be new without any stored values after invalidate(), right?
          System.out.println("the user is already logged in");
      }


My understanding of sessions is that after invalidate() occurs, all data
stored is not available. However, my previously stored object does seem to
be available, although it may not itself have values. For example,
user.getUsername() may return null.

I would greatly appreciate if someone could explain this behavior to me. (I
don't see this problem when I use a different app server.)

Thanks.

--Jason

__________________

Hi all,

I am struggling to understand how Tomcat 4 creates and invalidates
sessions. In the app I'm writing, I used to use a straightforward method of
inserting a String into the session when the user was logged in, and
removing it when the user logged out. This was only a work-around for the
fact that I could never seem to get an invalid session object as expected.
I decided today to revisit my code, and rewrite it according to how I think
it should work. I'm not having any luck though, and this is driving me
crazy. Can somebody explain this to me? Here are some servlet code
fragments:

      // logon code
      // Make sure the user is not logging in twice
      HttpSession session = request.getSession(true);
      if (session.isNew() == false) {
            session.invalidate();
            session = request.getSession(true);
      }

This is straight out of the current issue of JDJ, actually. (I'd not used
isNew() before.) Now for the logoff:

      // logoff code
      // destroy this user's session
      HttpSession session = request.getSession(false);

      if (session != null) {
            // remove the user object from the session
                  session.removeAttribute(Constants.USER_KEY);
                    session.invalidate();
      } else
            debug("No session object available for this user.");


One interesting thing I noticed is that, during logoff, I often get handed
a session from Tomcat, despite the getSession(false). This is supposed to
return either a valid session or null; but I usually get a
org.apache.catalina.session.StandardSessionFacade -- even if I logoff
twice, and the session.invalidate() has been called!

Then my logon code is subject to a similar issue. Even though I've just
called session.invalidate() in my logoff code, my next logon is not
recognizing my created session as a new one. Shouldn't it be new since I
just called invalidate?

I've poured through the archives, and many people have described a similar
issue to this, but I've not seen a satisfactory solution (except for an old
post of Craig's, which endorsed the String stored in a session).

Clarification of these issues would be appreciated. Thanks for any help.

--Jason




--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>