You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@turbine.apache.org by Asha N <as...@yahoo.com> on 2012/07/18 19:58:22 UTC
session.invalidate not working
Hello,
We are using Turbine with Velocity, Javascript and Java and Tomcat 7 as our
server. I have a use case where the session needs to be invalidated after a
user logs in. The things that I tried are:
* Tomcat7 by default has it turned on, but it does not work. We have another
system with Spring instead. That generates a new jsessionid without any
issues.
* I tried the following code just before the user gets authenticated via:
TurbineSecurity.getAuthenticatedUser(username, password);
my code:
HttpSession session = data.getRequest().getSession(false);
if (session!=null && !session.isNew()) {
session.invalidate();
}
data.getRequest().getSession(true);
this does not work. I still get the same sessionid.
I also tried:
data.getSession().invalidate(), but that too does not seem to work.
Any pointers or inputs are greatly appreciated.
thanks in advance,
Asha
--
View this message in context: http://old.nabble.com/session.invalidate-not-working-tp34180666p34180666.html
Sent from the Turbine - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@turbine.apache.org
For additional commands, e-mail: user-help@turbine.apache.org
Re: session.invalidate not working
Posted by Tony Oslund <to...@prepare-enrich.com>.
I looked through some of my code and came across the following...
// invalidate the old session
data.getRequest().getSession().invalidate();
// use the sessionid from a newly created session
sessionId = data.getSession().getId();
In another instance I am also using a slightly different variation
try {
if (data.getResponse().isCommitted() == false) {
data.getResponse().sendRedirect(destination);
}
// invalidate this session since we are not
going to use it anyways
data.getRequest().getSession().invalidate();
return false;
} catch (IOException ex) {}
I have not had problems with either of these
However, I am currently running Tomcat 6.0...
Thinking years back... one thing I did run into with this had to do with
my setup in tomcat....
Within conf/server.xml (on my dev server) I use
<Context path="/webapp" docBase="webapp" crossContext="true">
Within WEB-INF/web.xml I use
<servlet>
<servlet-name>
webapp
</servlet-name>
<servlet-class>
org.apache.turbine.Turbine
</servlet-class>
...
</servlet>
<servlet-mapping>
<servlet-name>
webapp
</servlet-name>
<url-pattern>
/something/*
</url-pattern>
</servlet-mapping>
On 7/18/2012 12:58 PM, Asha N wrote:
> Hello,
>
> We are using Turbine with Velocity, Javascript and Java and Tomcat 7 as our
> server. I have a use case where the session needs to be invalidated after a
> user logs in. The things that I tried are:
> * Tomcat7 by default has it turned on, but it does not work. We have another
> system with Spring instead. That generates a new jsessionid without any
> issues.
> * I tried the following code just before the user gets authenticated via:
> TurbineSecurity.getAuthenticatedUser(username, password);
> my code:
> HttpSession session = data.getRequest().getSession(false);
> if (session!=null&& !session.isNew()) {
> session.invalidate();
> }
>
> data.getRequest().getSession(true);
>
> this does not work. I still get the same sessionid.
> I also tried:
>
> data.getSession().invalidate(), but that too does not seem to work.
>
> Any pointers or inputs are greatly appreciated.
>
> thanks in advance,
>
> Asha
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@turbine.apache.org
For additional commands, e-mail: user-help@turbine.apache.org
Re: session.invalidate not working
Posted by Thomas Vandahl <tv...@apache.org>.
On 18.07.12 19:58, Asha N wrote:
> * Tomcat7 by default has it turned on, but it does not work. We have another
> system with Spring instead. That generates a new jsessionid without any
> issues.
> * I tried the following code just before the user gets authenticated via:
> TurbineSecurity.getAuthenticatedUser(username, password);
> my code:
> HttpSession session = data.getRequest().getSession(false);
> if (session!=null && !session.isNew()) {
> session.invalidate();
> }
>
> data.getRequest().getSession(true);
>
> this does not work. I still get the same sessionid.
> I also tried:
>
> data.getSession().invalidate(), but that too does not seem to work.
RunData retrieves a copy of the session when the object is built. So all
but your last attempt do not modify this copy. This last attempt
*should* work as it is the same method that is used in Turbine.java
Bye, Thomas.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@turbine.apache.org
For additional commands, e-mail: user-help@turbine.apache.org
Re: session.invalidate not working
Posted by Asha N <as...@yahoo.com>.
Thank you for the response.
Is there a particular place that data.getSession().invalidate() needs to be
in, say after authentication or before authentication?
thanks again,
Asha
Asha N wrote:
>
> Hello,
>
> We are using Turbine with Velocity, Javascript and Java and Tomcat 7 as
> our server. I have a use case where the session needs to be invalidated
> after a user logs in. The things that I tried are:
> * Tomcat7 by default has it turned on, but it does not work. We have
> another system with Spring instead. That generates a new jsessionid
> without any issues.
> * I tried the following code just before the user gets authenticated via:
> TurbineSecurity.getAuthenticatedUser(username, password);
> my code:
> HttpSession session = data.getRequest().getSession(false);
> if (session!=null && !session.isNew()) {
> session.invalidate();
> }
>
> data.getRequest().getSession(true);
>
> this does not work. I still get the same sessionid.
> I also tried:
>
> data.getSession().invalidate(), but that too does not seem to work.
>
> Any pointers or inputs are greatly appreciated.
>
> thanks in advance,
>
> Asha
>
>
--
View this message in context: http://old.nabble.com/session.invalidate-not-working-tp34180666p34181042.html
Sent from the Turbine - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@turbine.apache.org
For additional commands, e-mail: user-help@turbine.apache.org
Re: session.invalidate not working
Posted by Tony Oslund <to...@prepare-enrich.com>.
It appears as if you are invalidating the session for authentication
reasons... is that correct?
It might make sense to simply track the users state within the current
session. if they are authenticated assign them a role, set a duration
for the tomcat session (for timeout purposes), etc.
If they logout... you could certainly invalidate their session, or you
could simply reduce their authentication level (remove the role(s)), etc.
...
Are you invalidating the session to improve the frequency at which
session resources are reclaimed?
On 7/18/2012 2:59 PM, Tony Oslund wrote:
> data.getRequest().getSession().invalidate();
>
> On 7/18/2012 2:32 PM, Asha N wrote:
>> It seems to work once after I rebuild and restart Tomcat. Any subsequent
>> tries, it does not work. I am not sure why. I used
>> data.getSession().invalidate(). I also noticed that the session id has
>> already changed by the time it got to that place. I am really
>> confused as
>> what to do at this point. Is there any other approach I can take?
>>
>> thanks,
>>
>> Asha
>>
>> Asha N wrote:
>>> Hello,
>>>
>>> We are using Turbine with Velocity, Javascript and Java and Tomcat 7 as
>>> our server. I have a use case where the session needs to be invalidated
>>> after a user logs in. The things that I tried are:
>>> * Tomcat7 by default has it turned on, but it does not work. We have
>>> another system with Spring instead. That generates a new jsessionid
>>> without any issues.
>>> * I tried the following code just before the user gets authenticated
>>> via:
>>> TurbineSecurity.getAuthenticatedUser(username, password);
>>> my code:
>>> HttpSession session =
>>> data.getRequest().getSession(false);
>>> if (session!=null&& !session.isNew()) {
>>> session.invalidate();
>>> }
>>>
>>> data.getRequest().getSession(true);
>>>
>>> this does not work. I still get the same sessionid.
>>> I also tried:
>>>
>>> data.getSession().invalidate(), but that too does not seem to work.
>>>
>>> Any pointers or inputs are greatly appreciated.
>>>
>>> thanks in advance,
>>>
>>> Asha
>>>
>>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@turbine.apache.org
> For additional commands, e-mail: user-help@turbine.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@turbine.apache.org
For additional commands, e-mail: user-help@turbine.apache.org
Re: session.invalidate not working
Posted by Tony Oslund <to...@prepare-enrich.com>.
data.getRequest().getSession().invalidate();
On 7/18/2012 2:32 PM, Asha N wrote:
> It seems to work once after I rebuild and restart Tomcat. Any subsequent
> tries, it does not work. I am not sure why. I used
> data.getSession().invalidate(). I also noticed that the session id has
> already changed by the time it got to that place. I am really confused as
> what to do at this point. Is there any other approach I can take?
>
> thanks,
>
> Asha
>
> Asha N wrote:
>> Hello,
>>
>> We are using Turbine with Velocity, Javascript and Java and Tomcat 7 as
>> our server. I have a use case where the session needs to be invalidated
>> after a user logs in. The things that I tried are:
>> * Tomcat7 by default has it turned on, but it does not work. We have
>> another system with Spring instead. That generates a new jsessionid
>> without any issues.
>> * I tried the following code just before the user gets authenticated via:
>> TurbineSecurity.getAuthenticatedUser(username, password);
>> my code:
>> HttpSession session = data.getRequest().getSession(false);
>> if (session!=null&& !session.isNew()) {
>> session.invalidate();
>> }
>>
>> data.getRequest().getSession(true);
>>
>> this does not work. I still get the same sessionid.
>> I also tried:
>>
>> data.getSession().invalidate(), but that too does not seem to work.
>>
>> Any pointers or inputs are greatly appreciated.
>>
>> thanks in advance,
>>
>> Asha
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@turbine.apache.org
For additional commands, e-mail: user-help@turbine.apache.org
Re: session.invalidate not working
Posted by Asha N <as...@yahoo.com>.
It seems to work once after I rebuild and restart Tomcat. Any subsequent
tries, it does not work. I am not sure why. I used
data.getSession().invalidate(). I also noticed that the session id has
already changed by the time it got to that place. I am really confused as
what to do at this point. Is there any other approach I can take?
thanks,
Asha
Asha N wrote:
>
> Hello,
>
> We are using Turbine with Velocity, Javascript and Java and Tomcat 7 as
> our server. I have a use case where the session needs to be invalidated
> after a user logs in. The things that I tried are:
> * Tomcat7 by default has it turned on, but it does not work. We have
> another system with Spring instead. That generates a new jsessionid
> without any issues.
> * I tried the following code just before the user gets authenticated via:
> TurbineSecurity.getAuthenticatedUser(username, password);
> my code:
> HttpSession session = data.getRequest().getSession(false);
> if (session!=null && !session.isNew()) {
> session.invalidate();
> }
>
> data.getRequest().getSession(true);
>
> this does not work. I still get the same sessionid.
> I also tried:
>
> data.getSession().invalidate(), but that too does not seem to work.
>
> Any pointers or inputs are greatly appreciated.
>
> thanks in advance,
>
> Asha
>
>
--
View this message in context: http://old.nabble.com/session.invalidate-not-working-tp34180666p34181167.html
Sent from the Turbine - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@turbine.apache.org
For additional commands, e-mail: user-help@turbine.apache.org