potential problem in tomcat 3.2. with org.apache.tomcat.facade.HttpSessionFacade

[Chris Hsu <cc...@uniscape.com>]

Hi;
My environment is NT 4 w/sp6, Apache 1.3.12, Tomcat 3.2.1

I noticed a behavior different from tomcat 3.1. From tomcat 3.2
a package is introduced, org.apahe.tomcat.facade
The class in my mind is org.apache.tomcat.facade.HttpSessionFacade
The idea is great, it is for better security and opens the
door for optimization.

What troubles me is that I can no longer use the HttpSession instance
which I got from HttpRequest.getSession(true) later on (across request
boundary). Because it is actually a HttpSessionFacade object and
the link to the real session will be set to null after a request is handled.

If I use HttpRequest.getSession(true) each time, it's not a problem
because the link to the real session will be connected.

Now, my app framework already save the HttpSession instance after
the user authenticate the identity. The object holding the HttpSession
instance is deep down in my framework. It has no way to use HttpRequest
without changing code. In the current tomcat implementation, I am
holding a facade obj which can not really be used.

Also, I found out a workaround. The implementation in
HttpRequest.getSession()
returns the real session object. I guess I could use it for now.

Does any one has similar experience as I did? Is there an implication that
HttpSession should not be saved over request boundary?

Please save the attachment sessionfacade.jsp to tomcat/webapps/examples/.
Then you can use http://localhost/examples/sessionfacade.jsp to test the
behavior. (It is a apache tomcat combination) It is hard to see the problem
if test against tomcat directly (eg via http://localhost:8080) because
tomcat seems to use the same facade object for different request, then
the link to the real session will be rebuilt. And you don't see the problem.

Thanks
____________________________________
Chris Hsu
www.uniscape.com
( <<http://www.uniscape.com/>>)
____________________________________