tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andre Van Klaveren <nyb...@gmail.com>
Subject Re: How to detect expired session vs. no session? (Solved)
Date Fri, 10 Dec 2004 18:56:17 GMT
The behavior of getSession(false) also depends on whether you're
calling it from within a standard Servlet or calling it from the
Request passed to a Stuts Action.  getSession(false) always returns
null if a valid session is not associated with the current request
(whether or not the client sent a session ID).  Now, in a Stuts
Action, it will always return a non-null value because apparently
Stuts tries to do the developer a favor and creates a new Session if a
valid one doesn't already exist.  I haven't determined if this
behavior can be altered in Stuts.

I haven't looked at the Struts code yet but this was observed on the
project I'm working on now.  I had to write my own code to make sure
that the request had a valid session before taking action.


On Sat, 11 Dec 2004 02:34:58 +0800, Joseph Lam <jlam@ust.hk> wrote:
> Steve Kirk wrote:
> 
> 
> 
> >>By default:
> >>1. getSession(true)!=null
> >>2. getSession(false)!=null
> >>
> >>But if a JSP page contains the tag <%@ page session="false" %>, then:
> >>1. getSession(true)!=null
> >>2. getSession(false)==null
> >>
> >>
> >
> >In the last of these 4 cases, do you mean that the implicit JSP session
> >object returns null, or that request.getSession(false) returns null?  I
> >could understand the first behaviour but would be surprised by the second.
> >The problem is that it implies that JSPs execute the code in a way that is
> >different than if it were included in a servlet, and given that JSPs are
> >servlets, this seems puzzling.  Again, perhaps I'm not fully understanding
> >either your case, or the details of how sessions work.
> >
> >
> I'll do some testing to confirm whether the implicit session object is
> null (which I guess so). I'm sure request.getSession(false) can really
> be null coz I'm relying on that in my pages, which all are forced not to
> create session by default until I received the login params and
> authenticate them, and then manually call HttpSession mySession =
> request.getSession(true) to create one.
> 
> >>For my case, sessions will only be created for logged-in
> >>users
> >>
> >>
> >
> >what is it about your case that makes this happen?  I would have thought
> >that session creation is independent of whether you are authenticating or
> >not.  Or is there a way to config TC to not create sessions by default, and
> >only create them when the user successfully authenticates?
> >
> >
> Add this and TC won't create session by default: <%@ page
> session="false" %>
> 
> 
> 
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
>

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message