You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Akoulov, Alexandre [IT]" <al...@citigroup.com> on 2005/05/20 03:15:22 UTC
problem: Session invalidation in the servlet accessed via foreign context
Hi all,
It seems that there is a problem with session invalidation in tomcat5.0. Please refer to the explanation below:
1. HttpSession session = req.getSession(true); // get existing user session or create one if does not exist
2. session.invalidate(); // invalidate user session
3. session = req.getSession(true); // create a new session ( ie a valid session)
The above three lines of code are commonly used to invalidate the user session and then create a new one. Tomcat implements this behaviour by creating a new session object in line No.3.
However, in tomcat5.0 implementation (5.0.28) when the above code is accessed via foreign context it does not create a new session object and therefore a session is still invalid after lineNo.3 is executed. The following code demonstrates the problem:
// servlet that runs in the same tomcat instance but in a different context to DebuggerServlet's context
public class ForeignContextServlet extends HttpServlet {
public void doGet(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
HttpSession session = req.getSession(true);
session.invalidate();
session = req.getSession(true); // !!!!!!PROBLEM!!!!!!!!!! does NOT create a new session when accessed via foreign context's dispatcher
}
}
// servlet that accesses ForeignContextServlet via foreign context's dispatcher
public class DebuggerServlet extends HttpServlet {
public void doGet(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
ServletContext ctx = getServletContext();
// dispatch the request to the servlet in a different context
ServletContext foreignContext = ctx.getContext("/AccessCommon");
foreignContext.getRequestDispatcher("/foreignContextServlet").include(req, res);
}
}
Such behaviour is only observed in tomcat 5.0 (have not tried on tomcat5.5); tomcat3 and tomcat4 do create new session objects in lineNo.3
I greatly appreciate your comments on this issue.
Kind regards,
Alex.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org