tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Akoulov, Alexandre [IT]" <alexandre.akou...@citigroup.com>
Subject problem: Session invalidation in the servlet accessed via foreign context
Date Fri, 20 May 2005 01:15:22 GMT
Hi all,

It seems that there is a problem with session invalidation in tomcat5.0. Please refer to the
explanation below:


1. HttpSession session = req.getSession(true); // get existing user session or create one
if does not exist
2. session.invalidate(); // invalidate user session                  
3. session = req.getSession(true); // create a new session ( ie a valid session)         
                             
                                       
The above three lines of code are commonly used to invalidate the user session and then create
a new one. Tomcat implements this behaviour by creating a new session object in line No.3.
However, in tomcat5.0 implementation (5.0.28) when the above code is accessed via foreign
context it does not create a new session object and therefore a session is still invalid after
lineNo.3 is executed. The following code demonstrates the problem:                       
              
                                       
                                       
// servlet that runs in the same tomcat instance but in a different context to DebuggerServlet's
context
public class ForeignContextServlet extends HttpServlet {
     public void doGet(HttpServletRequest req, HttpServletResponse res) 
         throws ServletException, IOException {
         
         HttpSession session = req.getSession(true);
         
         session.invalidate();                                  
         session = req.getSession(true); // !!!!!!PROBLEM!!!!!!!!!! does NOT create a new
session when accessed via foreign context's dispatcher              
     }
}


// servlet that accesses ForeignContextServlet via foreign context's dispatcher
public class DebuggerServlet extends HttpServlet {
    public void doGet(HttpServletRequest req, HttpServletResponse res) 
        throws ServletException, IOException {             
        
        ServletContext ctx = getServletContext();
        
        // dispatch the request to the servlet in a different context 
        ServletContext foreignContext = ctx.getContext("/AccessCommon");    
        foreignContext.getRequestDispatcher("/foreignContextServlet").include(req, res);
    }
}                                       
                                       
Such behaviour is only observed in tomcat 5.0 (have not tried on tomcat5.5); tomcat3 and tomcat4
do create new session objects in lineNo.3


I greatly appreciate your comments on this issue.


Kind regards,

Alex.
                                       
                                

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message