If the servlet spec allows this, I'm all for it!
On Jul 31, 2008, at 2:34 PM, Les Hazlewood wrote:
I'm not sure - I think it is undefined - checking the servlet spec
now.
At least the HttpServletRequest JavaDoc makes it sound as if it is
certainly
possible:
"Returns the current HttpSession associated with this request or, if
if
there is no current session and create is true, returns a new session.
If create is false and the request has no valid HttpSession, this
method
returns null.
To make sure the session is properly maintained, you must call this
method
before the response is committed.*
*
* Parameters:*
true - to create a new session for this request if necessary;
false to
return null if there's no current session*
*
* Returns:*
the HttpSession associated with this request or null if create is
falseand the request has no valid session"
Their wording of "valid" gives me hope. If it isn't valid (i.e.
invalidated), it sounds as if a new one would be created.
I'll see if the spec says anything.
On Thu, Jul 31, 2008 at 2:21 PM, Jeremy Haile <[EMAIL PROTECTED]>
wrote:
Does HTTP allow this?
Can you call HttpSession.invalidate() and then immediately call
HttpServletRequest.getSession(true) and get a new session?
If not, we'd have difficulty implementing this since in an HTTP
environment
we replicate those calls to the session. This sounds worthy of a
separate
thread though if we're going to continue this discussion.
Jeremy
On Jul 31, 2008, at 2:07 PM, Les Hazlewood wrote:
I think it might be more 'correct' to do this in JSecurity via
subject.getSession().stop() method instead. If in an HTTP
environment,
HttpSession.invalidate() will be called on your behalf. If not
using HTTP
container sessions (for whatever reason), it also does the
appropriate
invalidation on the underlying implementation.
But this surfaces an interesting question for the development team:
If someone calls subject.getSession().stop(), should they be able
to then
immediately call subject.getSession() and have it return a brand new
session?
Currently that doesn't happen. Any calls on that returned session
would
throw an InvalidSessionException. Going back to the desire to
prevent
these
exceptions from occurring when possible, isn't it a good idea to
create a
new one?
I can't think of any reasons at the moment to not allow a new
session to
be
created as described. I like the idea of making this possible.
What do
you
guys think?
