I am trying to implement the HttpSessionListener (the same class
implements ServletContextListener. The code for which is below.
1. I open a browser window , use MyApp after logging in.
2. I open the tomcat manager and reload my webapp. I go to the console
at this point and see the message - "Session is already invalid."
3. I go to my window in step 1. and click on a link to go to a
particular .jsp page. I get a blank window. I check the session
attributes at this point and my session attribute USER_AUTHORIZED
exists and is true.
step 2 s result conflicts with step 3s result. Invalidating the session
does not propagate to the client ??????? What am i doing wrong ?
public void contextDestroyed(ServletContextEvent sce)
{
// Destroy sessions.
if(sessions != null)
{
Iterator i = sessions.iterator();
while (i.hasNext())
{
HttpSession s = (HttpSession)i.next();
try
{
if(s != null && s.getAttribute("USER_AUTHORISED") != null)
{
System.out.println("Invalidating session id = " +
s.getId());
s.invalidate();
}
}
catch(IllegalStateException ex)
{
System.out.println("Session is already invalid.");
}
}
}
// End Destroy sessions.
}
public void sessionCreated(HttpSessionEvent event)
{
if(sessions == null)
sessions = new HashSet();
sessions.add(event.getSession());
}
public void sessionDestroyed(HttpSessionEvent event)
{
if(sessions != null)
{
sessions.remove(event.getSession());
}
}
On Wednesday, September 17, 2003, at 02:08 PM, Mufaddal Khumri wrote:
> To test I did the following:
>
> 1. started tomcat.
> 2. started a browser, logged into MyApp and used it.
> 3. stopped tomcat and restarted tomcat . (kept the browser window
> open).
> 4. went back to my browser window and tried to continue using my MyApp
> by clicking on one of the links to a jsp page. The browser showed me a
> blank window -
> AT THIS POINT I checked the session attribute and it was still
> existing. My code that redirects the user to the login page checks to
> see if this attribute is not there or is false. Since its present and
> is true it does not redirect the user. The only way i can redirect the
> user to the login page is by invalidating the session he or she is
> using . For this i made the change to the server.xml.
>
> Any ideas why this isnt working ?
>
> On Thursday, September 18, 2003, at 02:12 AM, Mike Curwen wrote:
>
>> You are doing nothing wrong... Tomcat will persist sessions between
>> restarts.
>>
>> To check your code works correctly, don't restart Tomcat... close your
>> browser window and start a new instance of the browser (or let the
>> session time out in a single browser).
>>
>>
>>> -----Original Message-----
>>> From: Mufaddal Khumri [mailto:mufaddal@(protected)]
>>> Sent: Wednesday, September 17, 2003 2:53 AM
>>> To: Tomcat Users List
>>> Cc: Yoav.Shapira@(protected)
>>> Subject: Re: cleaning up sessions ...
>>>
>>>
>>> Exactly. I have a session attribute in my session that i set
>>> to true .
>>> and if that session attribute is not present or is false i redirect
>>> them to the authentication page.
>>>
>>> I did the following to my server.xml :
>>>
>>> <Manager className="
org.apache.catalina.session.PersistentManager"
>>> debug="0"
>>> saveOnRestart="false"
>>> maxActiveSessions="-1"
>>> minIdleSwap="-1"
>>> maxIdleSwap="-1"
>>> maxIdleBackup="-1">
>>> <Store
>>> className="
org.apache.catalina.session.FileStore"/>
>>> </Manager>
>>>
>>> Now i go to the tomcat manager and reload my webapp . I am
>>> navigating
>>> the webapp in a browser when this happens (ie i am currently a user
>>> using a valid session ) .. after the webapp reloads ... i continue
>>> using the webapp by clicking on say a link ... which takes me to some
>>> other jsp page ... i do a check on top of this jsp page for this
>>> "attribute" ... and it still persists . This is what threw me off ..
>>> and i could not understand where i was doing what wrong ...
>>>
>>> Any help appreciated
>>>
>>> Thanks.
>>>
>>> On Thursday, September 18, 2003, at 01:19 AM, Shapira, Yoav wrote:
>>>
>>>>
>>>> Howdy,
>>>>
>>>>> all pages i do a checkAuthetication .. how do i check if
>>> the session
>>>>> is
>>>>> active or not ? .. so that i can detect that and redirect
>>> them to the
>>>>
>>>> Hmm... I would do this using attributes. All attributes
>>> are unbound
>>>> when the session is invalidated. So add an attribute to
>>> the session
>>>> when you authenticate people, and check for that attribute in your
>>>> pages. If it's not present, redirect them to the
>>> authentication page.
>>>>
>>>> Yoav Shapira
>>>>
>>>>
>>>>
>>>> This e-mail, including any attachments, is a confidential business
>>>> communication, and may contain information that is confidential,
>>>> proprietary and/or privileged. This e-mail is intended
>>> only for the
>>>> individual(s) to whom it is addressed, and may not be
>>> saved, copied,
>>>> printed, disclosed or used by anyone else. If you are not the(an)
>>>> intended recipient, please immediately delete this e-mail from your
>>>> computer system and notify the sender. Thank you.
>>>>
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
>>>> For additional commands, e-mail: tomcat-user-help@(protected)
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
>>> For additional commands, e-mail: tomcat-user-help@(protected)
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
>> For additional commands, e-mail: tomcat-user-help@(protected)
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
> For additional commands, e-mail: tomcat-user-help@(protected)
