tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paulsen, Jay" <>
Subject RE: getSession() returns a different StandardSessionFacade object every time it is called
Date Sun, 02 Mar 2003 04:08:39 GMT
Well, I would synchronize on my object that I store in the session, by my
problem is how do I make sure that this object is only created and added to
the session by one request thread?  My solution was to synchronize on the
session, and then in the synch block, check for the existence of the object
- if found then fine, use it, otherwise create it and add it to the session.
This is similar to what struts is doing in the isTokenValid() method of
Action class with the transaction token object:

     * Return <code>true</code> if there is a transaction token stored in
     * the user's current session, and the value submitted as a request
     * parameter with this action matches it.  Returns <code>false</code>
     * <ul>
     * <li>No session associated with this request</li>
     * <li>No transaction token saved in the session</li>
     * <li>No transaction token included as a request parameter</li>
     * <li>The included transaction token value does not match the
     *     transaction token in the user's session</li>
     * </ul>
     * @param request The servlet request we are processing
     * @param reset Should we reset the token after checking it?
    protected boolean isTokenValid(HttpServletRequest request, boolean
reset) {

        // Retrieve the current session for this request
        HttpSession session = request.getSession(false);
        if (session == null)
            return (false);

        synchronized (session) {

            // Retrieve the transaction token from this session, and
            // reset it if requested
            String saved = (String)
            if (saved == null)
                return (false);
            if (reset)

            // Retrieve the transaction token included in this request
            String token = request.getParameter(Constants.TOKEN_KEY);
            if (token == null)
                return (false);

            // Do the values match?
            return (saved.equals(token));



Since the call to getSession() will return a new StandardSessionFacade
object every time, I don't see how this synchronized block of code will be
synchronized between different request threads of the same session (wouldn't
they be locking on different objects?).  Now, I will concede that two
concurrent requests for the same session is not going to happen frequently,
but it is a possiblity if the user submits one request and then hits the
stop button and does it again or has two  browser windows open on the same
session.  In fact, I think this is what this Struts code is trying to detect
and prevent - duplicate form submission.  

Maybe my skull is to thick to understand this ;-).  But I don't think web
app code can synchronize on the session object if the request object is
returning a new session wrapper object each time its called.


-----Original Message-----
From: Filip Hanik []
Sent: Saturday, March 01, 2003 6:38 PM
To: Tomcat Developers List
Subject: RE: getSession() returns a different StandardSessionFacade
object every time it is called

why don't you just synchronize on an object stored in your session, bada bim
bada bom :)


Namaste - I bow to the divine in you
Filip Hanik
Software Architect

>-----Original Message-----
>From: Paulsen, Jay []
>Sent: Saturday, March 01, 2003 11:04 AM
>To: ''
>Subject: getSession() returns a different StandardSessionFacade object
>every time it is called
>Tomcat 4.1.12
>Apache 2.0.43
>Warp Connector
>Struts 1.1b2
>Calling getSession() on the request object (which in this environment is an
>instance of HttpRequestFacade which wraps a WarpRequest) creates
>and returns
>a new StandardSessionFacade object that actually wraps another
>StandardSessionFacade object which wraps the StandardSession object.  This
>means that every call to request.getSession() returns a different
>StandardSessionFacade object making it impossible to synchronize on the
>session object.
>It looks like that the code in HttpRequestFacade.getSession() that
>wraps the
>session in another StandardSessionFacade object is unneeded, possibly.  The
>call it makes to StandardSession.getSession() already returns a session
>object wrapped in a facade object.
>Am I completely missing something here?  If this is the intended behavior,
>is there another alternative to synchronizing on the session object? The
>Action.isTokenValid() method in Struts has a synchronized block on the
>session object.  It looks like that this code would not work on Tomcat
>because of this scenario.
>I also quickly looked at Tomcat 4.1.18 and Struts 1.1rc1 and the
>code in the
>above mentioned objects looks the same.  The CoyoteRequestFacade class used
>by the Coyote Connector does the same thing too.
>Any insight on this is greatly appreciated.
>To unsubscribe, e-mail:
>For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message