You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Sean McFadden <se...@wingateweb.com> on 2000/09/15 22:07:06 UTC

Error with Session State?

I have a servlet that calls this sequence of methods:

        HttpSession session = request.getSession( true );

        // insert business logic here, and if certain conditions occur:
            session.invalidate();
            session = request.getSession( true );
            session.setAttribute( "foo", "bar" );

Under Tomcat 3.1, this works great. Under Tomcat 3.2bX it is broken ( I tried
it using 3.2b2, 3.2b3, & 3.2b4 just to be sure ). On the call to
setAttribute(...), I get a java.lang.IllegalStateException: getAttribute:
Session already invalidated.

My second call to request.getSession( true ) gives me the same exact session
object, which has been invalidated. Under 3.1, I was getting a new session. I
believe that the following code snippet might have something to do with the
problem:

<code-snippet class="org.apache.tomcat.core.RequestImpl">
    public HttpSession getSession(boolean create) {
         if( serverSession!=null ) {
             // if not null, it is validated by the session module
             return serverSession;
         }
        // etc...
    }
</code-snippet>

Re: Error with Session State?

Posted by "Kenneth R. Kress" <kk...@home.com>.

Sean,

What version are you using? It's broken in 3.1, but was fixed in 3.2b1.
I'm still using 3.1 and 3.2b1

    Ken.


On Mon, 18 Sep 2000, you wrote:
> If this bug was reported and then closed, does it make this situation a pre-maturely
> closed bug or a feature? According to the Servlet 2.2 API javadocs, a call to
> getSession( boolean create ) returns "the HttpSession associated with this request
> or null if create is false and the request has no valid session." From what I can
> see, this call should return a new, valid session.
> 
> "yhs@mimic.onesourcecorp.com" wrote:
> 
> > On Fri, 15 Sep 2000, Sean McFadden wrote:
> >
> > > I have a servlet that calls this sequence of methods:
> > >
> > >         HttpSession session = request.getSession( true );
> > >
> > >         // insert business logic here, and if certain conditions occur:
> > >             session.invalidate();
> > >             session = request.getSession( true );
> > >             session.setAttribute( "foo", "bar" );
> > ><SNIP>
> > > >From what I can make out, nothing is ever setting the serverSession in
> > > RequestImpl to null after StandardSession.invalidate() is called, so this
> > > method call does not produce a new serverSession as it should. Eyeballing the
> > > code sequence, it looks like the StandardSession knows that it's invalidated,
> > > and the StandardManager knows the session has been invalidated. But neither of
> > > these objects have a reference to the RequestImpl instance that "owns" the
> > > session, so they can't call setSession( null ). I haven't been able to quite
> > > make out how sessions get mapped to requests, or I would make submit a patch.
> > > It looks like this one will have to be taken care of by someone who knows a
> > > lot more about Tomcat internals than I do.
> > >
> > > Thanks,
> > > Sean
> > >
> >
> > i reported this many moons ago and it was filed as a bug which was closed
> > by someone. its the cookie handling bug...i dont think anyone solved it
> > but you can work around it. look at my old bug report. its not a very
> > interesting bug obviously. treat cookies and sessions as write once
> > read many type states and you should be ok. dont try to delete/modify.
> > -Ys-
> > yhs@mimic.onesourcecorp.com
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
-- 
Kenneth R. Kress                                kkress@home.com

Re: Error with Session State?

Posted by "yhs@mimic.onesourcecorp.com" <yh...@mimic.onesourcecorp.com>.


On Mon, 18 Sep 2000, Sean McFadden wrote:

> If this bug was reported and then closed, does it make this situation a pre-maturely
> closed bug or a feature? According to the Servlet 2.2 API javadocs, a call to
> getSession( boolean create ) returns "the HttpSession associated with this request
> or null if create is false and the request has no valid session." From what I can
> see, this call should return a new, valid session.
> 

i'd call it a bug no one cares about. :)
eventually someone will get around to fixing it..i just worked around it
in my code which was easier to do than going thru tomcat and patching
it. cookies shouldnt be relied upon anyway..any client side data can be
tampered with. use only trusted server side variables for important
stuff. 
-Ys-
yhs@mimic.onesourcecorp.com

Re: Error with Session State?

Posted by Sean McFadden <se...@wingateweb.com>.

If this bug was reported and then closed, does it make this situation a pre-maturely
closed bug or a feature? According to the Servlet 2.2 API javadocs, a call to
getSession( boolean create ) returns "the HttpSession associated with this request
or null if create is false and the request has no valid session." From what I can
see, this call should return a new, valid session.

"yhs@mimic.onesourcecorp.com" wrote:

> On Fri, 15 Sep 2000, Sean McFadden wrote:
>
> > I have a servlet that calls this sequence of methods:
> >
> >         HttpSession session = request.getSession( true );
> >
> >         // insert business logic here, and if certain conditions occur:
> >             session.invalidate();
> >             session = request.getSession( true );
> >             session.setAttribute( "foo", "bar" );
> ><SNIP>
> > >From what I can make out, nothing is ever setting the serverSession in
> > RequestImpl to null after StandardSession.invalidate() is called, so this
> > method call does not produce a new serverSession as it should. Eyeballing the
> > code sequence, it looks like the StandardSession knows that it's invalidated,
> > and the StandardManager knows the session has been invalidated. But neither of
> > these objects have a reference to the RequestImpl instance that "owns" the
> > session, so they can't call setSession( null ). I haven't been able to quite
> > make out how sessions get mapped to requests, or I would make submit a patch.
> > It looks like this one will have to be taken care of by someone who knows a
> > lot more about Tomcat internals than I do.
> >
> > Thanks,
> > Sean
> >
>
> i reported this many moons ago and it was filed as a bug which was closed
> by someone. its the cookie handling bug...i dont think anyone solved it
> but you can work around it. look at my old bug report. its not a very
> interesting bug obviously. treat cookies and sessions as write once
> read many type states and you should be ok. dont try to delete/modify.
> -Ys-
> yhs@mimic.onesourcecorp.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

Re: Error with Session State?

Posted by "yhs@mimic.onesourcecorp.com" <yh...@mimic.onesourcecorp.com>.


On Fri, 15 Sep 2000, Sean McFadden wrote:

> I have a servlet that calls this sequence of methods:
> 
>         HttpSession session = request.getSession( true );
> 
>         // insert business logic here, and if certain conditions occur:
>             session.invalidate();
>             session = request.getSession( true );
>             session.setAttribute( "foo", "bar" );
><SNIP> 
> >From what I can make out, nothing is ever setting the serverSession in
> RequestImpl to null after StandardSession.invalidate() is called, so this
> method call does not produce a new serverSession as it should. Eyeballing the
> code sequence, it looks like the StandardSession knows that it's invalidated,
> and the StandardManager knows the session has been invalidated. But neither of
> these objects have a reference to the RequestImpl instance that "owns" the
> session, so they can't call setSession( null ). I haven't been able to quite
> make out how sessions get mapped to requests, or I would make submit a patch.
> It looks like this one will have to be taken care of by someone who knows a
> lot more about Tomcat internals than I do.
> 
> Thanks,
> Sean
> 

i reported this many moons ago and it was filed as a bug which was closed
by someone. its the cookie handling bug...i dont think anyone solved it
but you can work around it. look at my old bug report. its not a very
interesting bug obviously. treat cookies and sessions as write once
read many type states and you should be ok. dont try to delete/modify.
-Ys-
yhs@mimic.onesourcecorp.com