tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Asensio, Rodrigo" <>
Subject invalid sessions
Date Mon, 18 Dec 2006 17:52:09 GMT
Hi guys, Im trying to reject users whose sessions was invalidated (in
purpose because a logout or timeout)
But I found that there is not logic combination in the session valid or
invalid methods.

Case 1
First request
Session.isNew()  TRUE
Request.isRequestedSessionIdValid() FALSE

We can say that this is ok because you are still not authenticated.

Case 2
Session timeout
Next request will be
Session.isNew() TRUE   because creates a new session
Request.isRequestedSessionIdValid() FALSE 

The funny thing is if I request the session with create in false, it
always returns an object
Request.getSession(false) != null ALWAYS in this case.

I have no way to verify if the session was invalidated by a timeout.

I made a listener and put the invalid session in the DB but I have no
way to identify because
When a client comes back from a invalid session, it creates a new one.

Do you know any way ?


Rodrigo Asensio
Fuel Management Services
Gilbarco Veeder Root
phone: +1 336 547 5023
  |        |
  |        |
  |       ~|~
  (        _)
  |        |
  |        |
  ''..     |
 /    ''---|| /\
/     \    \\/\/
|  \  /     \_/
|   \/\\    | \

This message (including any attachments) contains confidential 
and/or proprietary information intended only for the addressee.  
Any unauthorized disclosure, copying, distribution or reliance on 
the contents of this information is strictly prohibited and may 
constitute a violation of law.  If you are not the intended 
recipient, please notify the sender immediately by responding to 
this e-mail, and delete the message from your system.  If you 
have any questions about this e-mail please notify the sender 

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message