Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
Received-SPF: pass (hermes.apache.org: local policy)
Message-Id: <s1ab6751.089@mail.mtctrains.com>
Date: Mon, 29 Nov 2004 18:15:25 -0700
From: "Dennis Payne" <DENNIS@mtctrains.com>
To: <cecajina@hotmail.com>,<tomcat-user@jakarta.apache.org>
Subject: Re: [HttpSession creation: When & How]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

You can use the session.invalidate() if you need to before creating a
new session (I did not use this approach).

With my system, if the session exists we check for required elements
and place them there if they are missing.  Every thirty minutes the
session automatically invalidates.  At that point we create a new
session and simply repeat the check for required elements.  All of this
is invisible to the user who logs in only once.  The only information
that stays from session to session is data that is persisted in (written
to) the database and put in the session for servlet/JSP use.

If I understand correctly the HTTP Session is initiated by the web
server when authentication takes place (I only have experience with
basic authentication).

Other wiser sources may clarify...

>>> cecajina@hotmail.com 11-29-2004 17:31 >>>
Good evening.

My question is about HttpSession objects creation and destruction
within a 
Servlet/JSP container. I'm using the JBoss/Tomcat bundle (versions 
3.2.3/4.1.29) with a database realm properly configured. Here's how
things 
work so far:

1. User goes to a predefined Welcome File (index.html)
2. Within the welcome file there's a link to a protected resource (wich

happens to be the application's "main screen")
3. The user clicks the link and the login page appears.
4. The user enters login/password and logs on successfully or is
redirected 
to an error page.

Up to this point everything works fine, but the thing that I don't 
understand is that the moment the user clicks the link that points to a

protected resource an HttpSession object is created by the server even

though the user hasn't been authenticated. This behavior kinda ruin my
plans 
because I have a Session Creation/Destruction Listener that is supposed
to 
detect a session creation event in order to be able to place some
things 
(objects) in that user session, but it seems that the created session
for 
the unauthenticated is "recycled" after authentication and my session 
lifecycle listener is no longer useful (the session already exists)

I've looked into the Servlet spec but couldn't find anything clarifying

enough... I'f anyone has any comments, tips, thoughts on this issue I'd
like 
to hear'em... :^)

Regards,

Carlos... 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org 
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org