tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Feretich <>
Subject Re: [HttpSession creation: When & How]
Date Tue, 30 Nov 2004 06:25:09 GMT
When Tomcat intercepts an access to a protected resource and redirects 
to your login form, it saves your initial request by attaching it to the 
session object. If the login is successful, it retrieves the saved 
request and redirects to it. If you don't have an active session, it 
creates one to perform the save.

The basic HttpSession object is for state management, not evidence of 
authentication (see best practice RFC-2964 2.2.2). (You may attach 
authentication info to the session object.)

Bob Feretich

Dennis Payne wrote:
> You can use the session.invalidate() if you need to before creating a
> new session (I did not use this approach).
> With my system, if the session exists we check for required elements
> and place them there if they are missing.  Every thirty minutes the
> session automatically invalidates.  At that point we create a new
> session and simply repeat the check for required elements.  All of this
> is invisible to the user who logs in only once.  The only information
> that stays from session to session is data that is persisted in (written
> to) the database and put in the session for servlet/JSP use.
> If I understand correctly the HTTP Session is initiated by the web
> server when authentication takes place (I only have experience with
> basic authentication).
> Other wiser sources may clarify...
>>>> 11-29-2004 17:31 >>>
> Good evening.
> My question is about HttpSession objects creation and destruction
> within a 
> Servlet/JSP container. I'm using the JBoss/Tomcat bundle (versions 
> 3.2.3/4.1.29) with a database realm properly configured. Here's how
> things 
> work so far:
> 1. User goes to a predefined Welcome File (index.html)
> 2. Within the welcome file there's a link to a protected resource (wich
> happens to be the application's "main screen")
> 3. The user clicks the link and the login page appears.
> 4. The user enters login/password and logs on successfully or is
> redirected 
> to an error page.
> Up to this point everything works fine, but the thing that I don't 
> understand is that the moment the user clicks the link that points to a
> protected resource an HttpSession object is created by the server even
> though the user hasn't been authenticated. This behavior kinda ruin my
> plans 
> because I have a Session Creation/Destruction Listener that is supposed
> to 
> detect a session creation event in order to be able to place some
> things 
> (objects) in that user session, but it seems that the created session
> for 
> the unauthenticated is "recycled" after authentication and my session 
> lifecycle listener is no longer useful (the session already exists)
> I've looked into the Servlet spec but couldn't find anything clarifying
> enough... I'f anyone has any comments, tips, thoughts on this issue I'd
> like 
> to hear'em... :^)
> Regards,
> Carlos... 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: 
> For additional commands, e-mail: 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message