tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Asensio, Rodrigo" <rodrigo.asen...@gilbarco.com>
Subject RE: invalid sessions
Date Mon, 18 Dec 2006 20:07:50 GMT
I saw that method and I read this.

Case brand new session
Session.getId() has some value
Request.getRequestedSessionId() is null because the browser is not
trying to reach some particular session

Case expired session
Session.getId() is different from Request.getRequestedSessionId()
Because the browser is trying to reach a session that is not longer
available and the session.getSession() has
Created a brand new session

In this case, for sure, your session has expired.

Is so difficult wrap this 2 methods in a isSessionExpired() ?

Wtf!

Now, we also have to be aware for security browser settings.

Thanks !

-----Original Message-----
From: Veit Guna [mailto:veit.guna@gmx.de] 
Sent: Monday, December 18, 2006 2:28 PM
To: Tomcat Users List
Subject: Re: invalid sessions

I check for invalidated sessions (timeout) the following way:

if (! lRequest.isRequestedSessionIdValid() &&
lRequest.getRequestedSessionId() != null) {
	log.debug("session expired");
} else {
	log.debug("the normal way");
}

regards,
Veit



Asensio, Rodrigo schrieb:
> Hi guys, Im trying to reject users whose sessions was invalidated (in 
> purpose because a logout or timeout) But I found that there is not 
> logic combination in the session valid or invalid methods.
> 
> Case 1
> First request
> Session.isNew()  TRUE
> Request.isRequestedSessionIdValid() FALSE
> 
> We can say that this is ok because you are still not authenticated.
> 
> Case 2
> Session timeout
> Next request will be
> Session.isNew() TRUE   because creates a new session
> Request.isRequestedSessionIdValid() FALSE
> 
> The funny thing is if I request the session with create in false, it 
> always returns an object
> Request.getSession(false) != null ALWAYS in this case.
> 
> I have no way to verify if the session was invalidated by a timeout.
> 
> I made a listener and put the invalid session in the DB but I have no 
> way to identify because When a client comes back from a invalid 
> session, it creates a new one.
> 
> Do you know any way ?
> 
> 
> Thanks
> Rodrigo
> 
> 
> 
> 
> -------------------------------------------------------------------
> Rodrigo Asensio
> Fuel Management Services
> Gilbarco Veeder Root
> phone: +1 336 547 5023
> email: rodrigo.asensio@gilbarco.com
> <mailto:rodrigo.asensio@gilbarco.com>
>  
>  (~'~~'~~'~~)
>   |        |
>   |        |
>   |       ~|~
>   |-------())
>   (        _)
>   |        |
>   |        |
>   ''..     |
>   |'..'---_/\
>  /    ''---|| /\
> /     \    \\/\/
> |  \  /     \_/
> |   \/\\    | \
> 
> 
> This message (including any attachments) contains confidential and/or 
> proprietary information intended only for the addressee.
> Any unauthorized disclosure, copying, distribution or reliance on the 
> contents of this information is strictly prohibited and may constitute

> a violation of law.  If you are not the intended recipient, please 
> notify the sender immediately by responding to this e-mail, and delete

> the message from your system.  If you have any questions about this 
> e-mail please notify the sender immediately.
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, 
> e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


This message (including any attachments) contains confidential 
and/or proprietary information intended only for the addressee.  
Any unauthorized disclosure, copying, distribution or reliance on 
the contents of this information is strictly prohibited and may 
constitute a violation of law.  If you are not the intended 
recipient, please notify the sender immediately by responding to 
this e-mail, and delete the message from your system.  If you 
have any questions about this e-mail please notify the sender 
immediately. 

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message