Well, it's me again,
I keep trying but I cannot find a solution for this one. Reading from
the API I see that:
"
Class: HttpServletRequest
Method: public abstract HttpSession getSession(boolean create)
...
Note: to ensure the session is properly maintained, the servlet
developer must call this method (at least once) before any output is
written to the response.
...
"
So I thought that doing a forward would not be a good idea, as I would
have to force developers to include a call to this method inside their
pages. My next step was to try with RequestDispatcher.include(...)
instead of with forward because I can make sure this call is made
before I start writing to the the output (performing the include) but...
no luck until now.
So... is anybody using HttpSessions with forwarding to dynamic pages?
Are your sessions being properly invalidated? Should I just use
getSession(false) to see if a session is new? Is this a bug?
Thanks for any answer,
Dan
-------------------------------------------
Daniel Lopez Janariz ([EMAIL PROTECTED])
Web Services
Computer Center
Balearic Islands University
-------------------------------------------
Daniel Lopez wrote:
>
> Hi,
>
> Now that I decided to move my security framework from http
> authentication to http sessions I'm getting some weird results. I always
> create a session and I check if the session has been created with
> isNew() if it's new and he's not trying to login, or if he is trying to
> login but the data is incorrect, I invalidate the session through
> HttpSession.invalidate() and then forward the request to the appropriate
> page, depending on the error type (wrong password, timed out
> session...). The weird thins is that if I use a
> getRequestDispatcher(...).forward(...) after performing the
> invalidation, then the session is not invalidated and the next request
> returns isNew to false. If I write a static page to the output myself,
> then the session is properly invalidated so... I wonder if I have to do
> something special before/after invalidating a session. Does anybody have
> any clue?
>
> Here's some pseudocode, in case it helps...
> .- Get the session
> .- If session info is correct -> Allow the user to play
> .- If session is incorrect
> -> session.invalidate()
> If error page is static
> Get the writer and write the page to the stream
> else
> Forward the request <--- SESSION IS NOT INVALIDATED
> .
>
> Could this be a bug in my environment?
> Apache 1.3.9
> JRun 2.3 Build 152
> Win NT
>
> Thanks in advance,
> Dan
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
FAQs on JSP can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
