tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Moving from a very old Tomcat to a new Tomcat.
Date Wed, 11 Jun 2008 21:19:46 GMT

Christopher Schultz wrote:
[...] lots of smart things which I duly note but omit here

> Tomcat knows that it uses the session to store authentication
> information, so Tomcat itself will create the session and add the cookie
> to the response at this point.
> | The user authenticates, the authentication is checked, and now by some
> | mechanism the call is redirected to the originally-requested URL.
> | But still according to the above, there is no session yet, because
> | HttpServletRequest.getSession() has still not been called.
> It has been called, just not by /your/ code at this point.

Aha ! So there can be hidden, I would even say occult, calls to 
HttpServletRequest.getSession(), that the unsuspecting developer 
wouldn't even know about !
Unless he happens to consult the Holy Source Code, or be a visitor to 
this list and be thus enlightened.
Or is there another source of enlightenment about this, that I don't yet 
know about ?

> | (I also have a problem with the
> | HttpServletRequest.isRequestedSessionIdValid() call, because I fail to
> | see a case where the return value would be false.  But I'll get to that
> | one later, if I haven't exhausted everyone's patience by then.)
> If you make a request to a servlet with a bugus session id, then this
> method will return false. 
 > It could be generally bogus (wrong format,
 > etc.) or the session could have expired. The requested session id could
 > be different from the "current" session id, if an invalid session id was
 > requested, and the servlet calls request.getSession(true). In that case,
 > the requested and actual session ids will be different.

Ah but..
If I make a request with a bogus (or expired) session-id, then Tomcat 
will never be able to "reconnect" the request with a valid existing session.
But , if I understand this right, if I make a request with an invalid 
session-id (in the JSESSIONID cookie for instance), Tomcat will not 
instantly throw out the call with a stack trace.  It might sneakily let 
the call proceed, until the servlet tries to do something with the 
session which it thinks it has but doesn't. /Then/ it will throw the 
servlet out.
Right ?

In other words, if I write a servlet which depends on the pre-existence 
of a valid session, should I always check 
HttpServletRequest.isRequestedSessionIdValid() first, or can I call
HttpServletRequest.getSession(false) and check for a null return value ?
Or can I call HttpServletRequest.getSession(true) and check if the 
obtained session's id matches the request JSESSIONID a posteriori ?
Are these calls always equivalent, from the point of view of checking if 
I have a pre-existing valid session matching the session-id of the cookie ?


P.S.  No matter what the answers are, thank you much for your time 
anyway. It has been a very informative exchange for me, filling up many 
grey areas that I thought I approximately understood but did not really.

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message