javax.servlet.http.HttpSession.getId() returns null

[Johann Uhrmann <jo...@xpecto.com>]

Hello,

I am writing a single-sign-on filter that uses cookies and
a request-wrapper in order to fake a form-based login in
case the user is already authenticated in another web application.

The filter needs some internal structures to perform the single-sign-on
process, e.g. a map that associates the logon name with all
active sessions of the user.

When I try to get the id of those session objects, they sometimes
return null.

Are the ids of expired sessions set to null in Tomcat 4.1.27?
If yes, is there a way to retrieve the former session ids?


Thank You,

Hans

Re: javax.servlet.http.HttpSession.getId() returns null

[Tim Funk <fu...@joedog.org>]

Johann Uhrmann wrote:

> Johann Uhrmann wrote:
> 
>> Hello,
>>
>> I am writing a single-sign-on filter that uses cookies and
...
> 
> 
> after reviewing my logs, it seems that session objects are being
> recycled by the server and the id is set to null while they are
> not in use.
> 
> Is that correct?
I think so. But in tomcat5 - I think think pooling is not done.

> 
> Is there a docu that shows what objects are pooled in Tomcat so
> application developer can consider the side-effects of pooling?

Not that I know of.

> 
> In my case, I held references to session objects and it seems that
> the id changed over time. That behaviour broke my filter design
> and was hard to track down.
Since sessions may also passivate to some persistent store such as a file or 
database or ??? you had a good chance at having problems in the future anyways.

-Tim

Re: javax.servlet.http.HttpSession.getId() returns null

[Johann Uhrmann <jo...@xpecto.com>]

Johann Uhrmann wrote:
> Hello,
> 
> I am writing a single-sign-on filter that uses cookies and
> a request-wrapper in order to fake a form-based login in
> case the user is already authenticated in another web application.
> 
> The filter needs some internal structures to perform the single-sign-on
> process, e.g. a map that associates the logon name with all
> active sessions of the user.
> 
> When I try to get the id of those session objects, they sometimes
> return null.

Hello again,

after reviewing my logs, it seems that session objects are being
recycled by the server and the id is set to null while they are
not in use.

Is that correct?

Is there a docu that shows what objects are pooled in Tomcat so
application developer can consider the side-effects of pooling?

In my case, I held references to session objects and it seems that
the id changed over time. That behaviour broke my filter design
and was hard to track down.

Kind regards,

Hans

Re: javax.servlet.http.HttpSession.getId() returns null

[Johann Uhrmann <jo...@xpecto.com>]

Tim Funk wrote:
> Before going farthar, have you looked at the Single Sign On valve?
> 
> If you are using container managed security(such as form 
> authentication), those contraints are executed before the filter chain 
> is ever made.

Unfortunately, I cannot use container managed security because I have to
support login from static pages, from other server or via links that
contain the logon key.

> (Otherwise) I am unsure of the semantics of getId() without re-reading 
> the javadocs or the spec.

The api does not mention a null value for that method.
(at least in the version I read)

Regards,

Hans

Re: javax.servlet.http.HttpSession.getId() returns null

[Tim Funk <fu...@joedog.org>]

Before going farthar, have you looked at the Single Sign On valve?

If you are using container managed security(such as form authentication), 
those contraints are executed before the filter chain is ever made.

(Otherwise) I am unsure of the semantics of getId() without re-reading the 
javadocs or the spec.

-Tim

Johann Uhrmann wrote:

> Hello,
> 
> I am writing a single-sign-on filter that uses cookies and
> a request-wrapper in order to fake a form-based login in
> case the user is already authenticated in another web application.
> 
> The filter needs some internal structures to perform the single-sign-on
> process, e.g. a map that associates the logon name with all
> active sessions of the user.
> 
> When I try to get the id of those session objects, they sometimes
> return null.
> 
> Are the ids of expired sessions set to null in Tomcat 4.1.27?
> If yes, is there a way to retrieve the former session ids?
> 
> 
> Thank You,
> 
> Hans
>