We had exactly the same problem. If you click on a link to a servlet (thats
a get method), and the servlet cleans up the session (session.invalidate(),
session = request.getSession(true),) and then forwards to a logout.html or
logout.jsp...no problem, the new session is created.
If you click on a form submit, with the method post, and the servlets does
its form thing, and then does a session.invalidate(),
session.getSession(true), and then forwards to the logout.html our
logout.jsp...the session is not invalidated. We know this, because if you
check the getRemoteUser, its still the old bastard, and not the new guest.
However, if you put a double pump in the jsp, that is a ifInRole("old
bastards") response.redirect("/logout"), where the /logout servlet again
tries to session.invalidate(), session.getSession(true) and back to the
logout.jsp...it works.
The only difference between the two methods in the spec is how cookies are
handled. The redirect garantees that the cookie is reloaded.
Get works with a forward after you invalidate a session
Post only works with a redirect after you invalidate a session.
This sounds like either a bug, or the spec treats cookies under Get and Post
differently, since Orion uses cookie's to keep session id's by default (url
rewritting is only used when cookies are not used by the client).
regards,
the elephantwalker
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Tom Bruser
Sent: Tuesday, September 18, 2001 5:24 PM
To: Orion-Interest
Subject: RE: session bug
I have reported an instance of this bug on Orion's bugzilla Bug #566 which
still remains marked as 'New' well after 1 month, so I still have no
feedback as to whether this is a bug or not.
My login_form.jsp file has the purpose of invalidating the current session
(to effectively logout any existing session), creating a new session,
retrieving a 'brand' bean, and displaying an appropriate login form which
utilizes some of the fields in the 'brand' bean (to determine colors and
logo image location, etc).
I use a JSP custom tag to handle the brand bean retrieval:
HttpServletRequest request = (HttpServletRequest)pageContext.getRequest();
HttpSession session = request.getSession();
session.invalidate();
HttpSession newsession = request.getSession(true);
// code to retrieve the brandbean omitted to reduce the clutter
session.setAttribute("brand",brandbean);
My JSP code for login_form.jsp contains this excerpt:
<mytags:newuser />
<jsp:useBean id="brand" scope="session"
type="com.mycompany.beans.BrandBean"/>
The resulting output when trying to access the page is as follows:
java.lang.IllegalStateException: Session was invalidated
at com.evermind[Orion/1.5.2 (build
10460)].server.http.EvermindHttpSession.getAttribute(Unknown Source)
at /login_form.jsp._jspService(/login_form.jsp.java:58)
// additional inconsequential stacktrace omitted.
It is obvious here that the object reference used to access the session
scope from the useBean tag has grown stale and is not effected by calls to
the request object's getSession(boolean) method.
A secondary issue is that the actual Session ID does not change when a new
session is requested. I would like this to take place as well if it is
possible. Does anyone have any suggestion of what I can implement without
creating nasty scriptlet code or otherwise significantly altering my control
flow?
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of The
elephantwalker
Sent: Tuesday, September 18, 2001 3:11 PM
To: Orion-Interest
Subject: RE: session bug
Rafael,
This won't work reliably on a post request, because the session management
also depends on cookies. In order to make sure you get a new session, you
will need to put in something like this (only for post request):
session.invalidate()
session = request.getSession(true);
if(!session.getNew()) response.sendRedirect("/logout");
This will work about 99% of the time...whereas if you just do
session.invalidate(), session=request.getSession(true) it won't work in a
post request.
Regards,
the elephantwalker
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Rafael Alvarez
Sent: Tuesday, September 18, 2001 11:00 AM
To: Orion-Interest
Subject: Re: session bug
Hello Denis,
Try doing this:
session = request.getSession(true);
System.out.println("session = request.getSession(false);\t" +
session.hashCode());
System.out.println("session = " + session);
session.invalidate();
System.out.println("session.invalidate();\t" + session.hashCode());
System.out.println("session = " + session);
session = request.getSession(true);
System.out.println("session = request.getSession();\t" +
session.hashCode());
System.out.println("session = " + session);
That way you'll get a new session after the session is invalidated.
The problem arises because the session object that is associated with
the request object is the invalidated one until you create a new
session, either by a new hit in the page/servlet or by using
request.getSession(true).
Tuesday, September 18, 2001, 9:44:52 AM, you wrote:
DK> Hello everyone!
DK> I think I have found bug in orion 1.5.2.
DK> There is problem with sessions. When I invalidate session and then get
new
DK> session, sometimes (not always) I get same invalidated session.
DK> Does anybody have same problem? Any solution except that I remove all
data
DK> from session?
DK> Thanks in advance.
DK> Here is code that demonstrates bug:
DK> session = request.getSession(true);
DK> System.out.println("session = request.getSession(false);\t" +
DK> session.hashCode());
DK> System.out.println("session = " + session);
DK> session.invalidate();
DK> System.out.println("session.invalidate();\t" + session.hashCode());
DK> System.out.println("session = " + session);
DK> session = request.getSession();
DK> System.out.println("session = request.getSession();\t" +
DK> session.hashCode());
DK> System.out.println("session = " + session);
DK> Orion's output:
DK> session = request.getSession(); 2935133
DK> session = HTTP Session AKAEMHOGAJOD
DK> session.invalidate(); 2935133
DK> session = HTTP Session AKAEMHOGAJOD
DK> session = request.getSession(); 2935133
DK> session = HTTP Session AKAEMHOGAJOD
DK> Exception is
DK> java.lang.IllegalStateException: Session was invalidated
DK> at
com.evermind.server.http.EvermindHttpSession.setAttribute(Unknown
DK> Source)
DK> at
DK> isvu.kadrovska.web.command.LoginCommand.execute(LoginCommand.java:161)
DK> at isvu.kadrovska.web.Kadrovska.doPost(Kadrovska.java:183)
DK> at javax.servlet.http.HttpServlet.service(HttpServlet.java:211)
DK> at javax.servlet.http.HttpServlet.service(HttpServlet.java:309)
DK> at javax.servlet.http.HttpServlet.service(HttpServlet.java:336)
DK> at com.evermind._cxb._abe(Unknown Source)
DK> at com.evermind._cxb._uec(Unknown Source)
DK> at com.evermind._io._twc(Unknown Source)
DK> at com.evermind._io._gc(Unknown Source)
DK> at com.evermind._if.run(Unknown Source)
Best regards,
Rafael mailto:[EMAIL PROTECTED]
