You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Kok Kin Kee <kk...@geoworks.com> on 1999/03/19 20:44:55 UTC
mod_jserv/4092: session.invalidate() then req.getSession() returns invalidated session.
>Number: 4092
>Category: mod_jserv
>Synopsis: session.invalidate() then req.getSession() returns invalidated session.
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: jserv
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Fri Mar 19 11:50:02 PST 1999
>Last-Modified:
>Originator: kkee@geoworks.com
>Organization:
apache
>Release: Apache 1.3.4, Apache JServ 1.0b1
>Environment:
Win NT4.0, JDK 1.2, JSDK 2.0
>Description:
HttpSession session = req.getSession(true);
session.invalidate()
// This statement returns the same invalidated session
// as above!
session = req.getSession(true);
>How-To-Repeat:
Here is the complete code:
//---------------
import java.io.*;
import java.lang.*;
import javax.servlet.*;
import javax.servlet.http.*;
/**
*
* Get a session, invalidate it, and then get a new one.
*/
public class SessionTest extends HttpServlet
{
public void doGet(HttpServletRequest req,
HttpServletResponse resp)
throws ServletException, IOException
{
resp.setContentType("text/html");
ServletOutputStream out = resp.getOutputStream();
HttpSession session = req.getSession(true);
out.println("Current session Id: ");
out.println(session.getId());
out.println("<BR>");
// Testing invalidate...
session.invalidate();
// Should get a new session after invalidate.
session = req.getSession(true);
// Try to use the session, if session is invalid, it will
// throw an exception. However, this session should be valid!
out.println("New session Id: ");
try {
out.println(session.getId());
} catch (Exception e) {
out.println(e.getMessage());
}
out.println("<BR>");
}
public void doPost(HttpServletRequest req,
HttpServletResponse resp)
throws ServletException, IOException
{
doGet(req, resp);
}
}
//-------------
>Fix:
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED. This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig- ]
[nored unless you are responding to an explicit request ]
[from a developer. ]
[Reply only with text; DO NOT SEND ATTACHMENTS! ]