You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Akoulov, Alexandre [IT]" <al...@citigroup.com> on 2005/05/20 03:15:22 UTC

problem: Session invalidation in the servlet accessed via foreign context 

Hi all,

It seems that there is a problem with session invalidation in tomcat5.0. Please refer to the explanation below:


1. HttpSession session = req.getSession(true); // get existing user session or create one if does not exist
2. session.invalidate(); // invalidate user session                  
3. session = req.getSession(true); // create a new session ( ie a valid session)                                       
                                       
The above three lines of code are commonly used to invalidate the user session and then create a new one. Tomcat implements this behaviour by creating a new session object in line No.3.
However, in tomcat5.0 implementation (5.0.28) when the above code is accessed via foreign context it does not create a new session object and therefore a session is still invalid after lineNo.3 is executed. The following code demonstrates the problem:                                      
                                       
                                       
// servlet that runs in the same tomcat instance but in a different context to DebuggerServlet's context
public class ForeignContextServlet extends HttpServlet {
     public void doGet(HttpServletRequest req, HttpServletResponse res) 
         throws ServletException, IOException {
         
         HttpSession session = req.getSession(true);
         
         session.invalidate();                                  
         session = req.getSession(true); // !!!!!!PROBLEM!!!!!!!!!! does NOT create a new session when accessed via foreign context's dispatcher              
     }
}


// servlet that accesses ForeignContextServlet via foreign context's dispatcher
public class DebuggerServlet extends HttpServlet {
    public void doGet(HttpServletRequest req, HttpServletResponse res) 
        throws ServletException, IOException {             
        
        ServletContext ctx = getServletContext();
        
        // dispatch the request to the servlet in a different context 
        ServletContext foreignContext = ctx.getContext("/AccessCommon");    
        foreignContext.getRequestDispatcher("/foreignContextServlet").include(req, res);
    }
}                                       
                                       
Such behaviour is only observed in tomcat 5.0 (have not tried on tomcat5.5); tomcat3 and tomcat4 do create new session objects in lineNo.3


I greatly appreciate your comments on this issue.


Kind regards,

Alex.
                                       
                                

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org