[HttpSession creation: When & How]

[Carlos Cajina <ce...@hotmail.com>]

Good evening.

My question is about HttpSession objects creation and destruction within a 
Servlet/JSP container. I'm using the JBoss/Tomcat bundle (versions 
3.2.3/4.1.29) with a database realm properly configured. Here's how things 
work so far:

1. User goes to a predefined Welcome File (index.html)
2. Within the welcome file there's a link to a protected resource (wich 
happens to be the application's "main screen")
3. The user clicks the link and the login page appears.
4. The user enters login/password and logs on successfully or is redirected 
to an error page.

Up to this point everything works fine, but the thing that I don't 
understand is that the moment the user clicks the link that points to a 
protected resource an HttpSession object is created by the server even 
though the user hasn't been authenticated. This behavior kinda ruin my plans 
because I have a Session Creation/Destruction Listener that is supposed to 
detect a session creation event in order to be able to place some things 
(objects) in that user session, but it seems that the created session for 
the unauthenticated is "recycled" after authentication and my session 
lifecycle listener is no longer useful (the session already exists)

I've looked into the Servlet spec but couldn't find anything clarifying 
enough... I'f anyone has any comments, tips, thoughts on this issue I'd like 
to hear'em... :^)

Regards,

Carlos... 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: [HttpSession creation: When & How]

[David Stevenson <ds...@rochester.rr.com>]

You could put the following page directive on your login? .jsp page:

<%@ page session="false" %>

David Stevenson

On Mon, 2004-11-29 at 20:35, Frank W. Zammetti wrote:
> Yes, the session is created automagically when a servlet-served resource 
> is accessed (meaning things other than HTML, images, things like that). 
>   JSPs and servlets in other words.  I seem to remember a config switch 
> to turn this off, but that's how it generally works, and this is usually 
> how other app servers work too AFAIK.
> 
> There are ways to deal with the, the way I generally do it is simply to 
> check for some known object in session.  This object is only placed in 
> session from my logon process.  So, if it's not there at any other time, 
> the user hasn't been validated.  Cue whatever error/redirection logic 
> you want at that point.  I think this is a fairly typical approach.
> 
> This confused the hell out of me for a while too... It's a bit 
> counterintuitive, especially when there exists API functionality to 
> create a session or use an existing one.  The logic there I suppose is 
> that you may want to discard the automatically-created session in favor 
> of your own during a logon process for instance, but I'm not sure I see 
> the reason for doing that.
> 
> In any case, you aren't seeing anything unusual here, it's simply 
> something you have to deal with one way or another (or find out the 
> config switch to turn it off, if my memory is serving me correctly in 
> saying it exists at all).


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: [HttpSession creation: When & How]

["Frank W. Zammetti" <fz...@omnytex.com>]

Yes, the session is created automagically when a servlet-served resource 
is accessed (meaning things other than HTML, images, things like that). 
  JSPs and servlets in other words.  I seem to remember a config switch 
to turn this off, but that's how it generally works, and this is usually 
how other app servers work too AFAIK.

There are ways to deal with the, the way I generally do it is simply to 
check for some known object in session.  This object is only placed in 
session from my logon process.  So, if it's not there at any other time, 
the user hasn't been validated.  Cue whatever error/redirection logic 
you want at that point.  I think this is a fairly typical approach.

This confused the hell out of me for a while too... It's a bit 
counterintuitive, especially when there exists API functionality to 
create a session or use an existing one.  The logic there I suppose is 
that you may want to discard the automatically-created session in favor 
of your own during a logon process for instance, but I'm not sure I see 
the reason for doing that.

In any case, you aren't seeing anything unusual here, it's simply 
something you have to deal with one way or another (or find out the 
config switch to turn it off, if my memory is serving me correctly in 
saying it exists at all).

-- 
Frank W. Zammetti
Founder and Chief Software Architect
Omnytex Technologies
http://www.omnytex.com

Carlos Cajina wrote:
> Good evening.
> 
> My question is about HttpSession objects creation and destruction within 
> a Servlet/JSP container. I'm using the JBoss/Tomcat bundle (versions 
> 3.2.3/4.1.29) with a database realm properly configured. Here's how 
> things work so far:
> 
> 1. User goes to a predefined Welcome File (index.html)
> 2. Within the welcome file there's a link to a protected resource (wich 
> happens to be the application's "main screen")
> 3. The user clicks the link and the login page appears.
> 4. The user enters login/password and logs on successfully or is 
> redirected to an error page.
> 
> Up to this point everything works fine, but the thing that I don't 
> understand is that the moment the user clicks the link that points to a 
> protected resource an HttpSession object is created by the server even 
> though the user hasn't been authenticated. This behavior kinda ruin my 
> plans because I have a Session Creation/Destruction Listener that is 
> supposed to detect a session creation event in order to be able to place 
> some things (objects) in that user session, but it seems that the 
> created session for the unauthenticated is "recycled" after 
> authentication and my session lifecycle listener is no longer useful 
> (the session already exists)
> 
> I've looked into the Servlet spec but couldn't find anything clarifying 
> enough... I'f anyone has any comments, tips, thoughts on this issue I'd 
> like to hear'em... :^)
> 
> Regards,
> 
> Carlos...
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 
> 
> 
> 




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org