tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Herrmann <...@jadn.com>
Subject Re: JDBCStore implementation
Date Tue, 25 Jun 2002 20:20:10 GMT

> Hi Bob,
> 
> Thanks for your answer!
> 
> Well, I agree that the refered field in the database would fit perfectly 
> in the case of having more than one instance of Tomcat handling requests, 
> but why can't it be used for the "local" session handling as well?
>
> 
> About what you wrote: "Once a session is marked invalid, my understanding 
> is that it only exists for the remaining scope of the page that marked it 
> invalid.". In my case I am not invalidating the session in any page, the 
> session is timed out by tomcat. And I had a simple test page in an 
> environment with a timeout for the session set to a low value (3 minutes). 

ok... a session is said to be "invalid" when marked invalid (by
calling session.invalidate() ) by a Servlet or JSP page.  When a
session is expired, it is also marked invalid, but it is immediately
removed from being accessible.  So the only time your code should be
able to manipulate a Session it should be in the valid state unless
your code explicitly marks it as invalid.

So writting an expired/invalidated session to the store would be
pointless because it is just about to be thrown away.  

> If I follow what tomcat is doing, these are the steps:
> 
> 1 - The session is backed up to the database (I set the value maxIdleBackup="10") after
nearly 10 seconds of inactivity.
> 2 - In my jsp page I check the methods session.isNew() = false, request.isRequestedSessionIdValid()
= true. This would be the expected 
> behavior.
> 3 - After the session is timed out by tomcat (I simply take no action 
> during 3 minutes), it is removed from the database.
> 4 - I try again to acess the same JSP page and the methods return session.isNew() = true
and request.isRequestedSessionIdValid() = false. 
> This would also be ok except for the fact that I have a NEW value for the 
> sessionID.

Yea, this seems correct.  Your old session times out after 3 minutes
and is disposed.  Your browswer then connects and is assigned a new
sesstion.  The old session was marked invalid for probably a few
miliseconds and then disposed of (or recycled.)

> With this behavior it is impossible to find out if I have a new
> session or an expired one. Maybe I am missing something here, but my
> idea was to redirect the user to a page telling him something like:
> "hi my friend, please login again because your session has
> expired". With the current implementation I am finding no solution
> to this.

You have a new session.  because request.isRequestedSessionIdValid() =
false, you know an older session is no longer available.   

To detect and handle a new/previously logged in user, You could do
something like this on your page,

	if (session.isNew() && request.isRequestedSessionIdValid() == false ) {
		response.sendRedirect("/relogin.jsp");
	}

You should also do something to ensures your session (new or
otherwise) is cooked the way you want it, like
	 
	if( session.getAttribute("username") == null) { 
		reponse.sendRedirect("/pleaseLogin.jsp");
	}


or some such.

Cheers,
-bob

> Cheers,
> Daniel
> 
> 
> 
> 
> 
> bob@jadn.com
> 24.06.2002 18:17
> Please respond to "Tomcat Developers List"
> 
>  
>         To:     tomcat-dev@jakarta.apache.org
>         cc: 
>         Subject:        Re: JDBCStore implementation
> 
> 
> 
> 
> 
> 
> > Hello everyone,
> > 
> > I am writing about an issue on invalidation of sessions.
> > In the current implementation, a session is deleted from the Database 
> when 
> > it is invalidated. Is this really the behavior expected?
> 
> I have been looking over the code some, and I think that behavior is
> correct.  I think the DB schema was written with the thinking that
> that field may some day be useful when more than one instance of
> Tomcat is handling requests. 
> 
> > I mean, if there is an attribute to specify if a session is valid or 
> not, 
> > a session that is invalidated should have this attribute reset instead 
> of 
> > being deleted, isn't it? If this is not true, it is not possible to see 
> > difference between a session that is not valid anymore and a new one.
> 
> Once a session is marked invalid, my understanding is that it only
> exists for the remaining scope of the page that marked it invalid.
> 
> I think if you have a page with 2 frames in it, and one of the 
> frames marks the session as invalid, the other frame might get;
> 
>   * a valid session until it is marked invalid by the other page
>                  or
>   * a new session
> 
> depending on the race condition of the browser and webserver loading
> both frames.
> 
> Cheers,
> -bob
> 
> 
> > Can anyone tell me something about the plans for the implementation of 
> > this feature?
> > 
> > Cheers,
> > Daniel
> > 
> > 
> > 
> > --
> > To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>
> > 
> 
> Cheers,
> -bob
> 
> --
> To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>
> 
> 
> 
> 
> 
> --
> To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>
> 

Cheers,
-bob

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message