Re: session bug
Hello Denis, Try doing this: session = request.getSession(true); System.out.println(session = request.getSession(false);\t + session.hashCode()); System.out.println(session = + session); session.invalidate(); System.out.println(session.invalidate();\t + session.hashCode()); System.out.println(session = + session); session = request.getSession(true); System.out.println(session = request.getSession();\t + session.hashCode()); System.out.println(session = + session); That way you'll get a new session after the session is invalidated. The problem arises because the session object that is associated with the request object is the invalidated one until you create a new session, either by a new hit in the page/servlet or by using request.getSession(true). Tuesday, September 18, 2001, 9:44:52 AM, you wrote: DK Hello everyone! DK I think I have found bug in orion 1.5.2. DK There is problem with sessions. When I invalidate session and then get new DK session, sometimes (not always) I get same invalidated session. DK Does anybody have same problem? Any solution except that I remove all data DK from session? DK Thanks in advance. DK Here is code that demonstrates bug: DK session = request.getSession(true); DK System.out.println(session = request.getSession(false);\t + DK session.hashCode()); DK System.out.println(session = + session); DK session.invalidate(); DK System.out.println(session.invalidate();\t + session.hashCode()); DK System.out.println(session = + session); DK session = request.getSession(); DK System.out.println(session = request.getSession();\t + DK session.hashCode()); DK System.out.println(session = + session); DK Orion's output: DK session = request.getSession();2935133 DK session = HTTP Session AKAEMHOGAJOD DK session.invalidate(); 2935133 DK session = HTTP Session AKAEMHOGAJOD DK session = request.getSession(); 2935133 DK session = HTTP Session AKAEMHOGAJOD DK Exception is DK java.lang.IllegalStateException: Session was invalidated DK at com.evermind.server.http.EvermindHttpSession.setAttribute(Unknown DK Source) DK at DK isvu.kadrovska.web.command.LoginCommand.execute(LoginCommand.java:161) DK at isvu.kadrovska.web.Kadrovska.doPost(Kadrovska.java:183) DK at javax.servlet.http.HttpServlet.service(HttpServlet.java:211) DK at javax.servlet.http.HttpServlet.service(HttpServlet.java:309) DK at javax.servlet.http.HttpServlet.service(HttpServlet.java:336) DK at com.evermind._cxb._abe(Unknown Source) DK at com.evermind._cxb._uec(Unknown Source) DK at com.evermind._io._twc(Unknown Source) DK at com.evermind._io._gc(Unknown Source) DK at com.evermind._if.run(Unknown Source) Best regards, Rafaelmailto:[EMAIL PROTECTED]
RE: session bug
Rafael, This won't work reliably on a post request, because the session management also depends on cookies. In order to make sure you get a new session, you will need to put in something like this (only for post request): session.invalidate() session = request.getSession(true); if(!session.getNew()) response.sendRedirect(/logout); This will work about 99% of the time...whereas if you just do session.invalidate(), session=request.getSession(true) it won't work in a post request. Regards, the elephantwalker -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rafael Alvarez Sent: Tuesday, September 18, 2001 11:00 AM To: Orion-Interest Subject: Re: session bug Hello Denis, Try doing this: session = request.getSession(true); System.out.println(session = request.getSession(false);\t + session.hashCode()); System.out.println(session = + session); session.invalidate(); System.out.println(session.invalidate();\t + session.hashCode()); System.out.println(session = + session); session = request.getSession(true); System.out.println(session = request.getSession();\t + session.hashCode()); System.out.println(session = + session); That way you'll get a new session after the session is invalidated. The problem arises because the session object that is associated with the request object is the invalidated one until you create a new session, either by a new hit in the page/servlet or by using request.getSession(true). Tuesday, September 18, 2001, 9:44:52 AM, you wrote: DK Hello everyone! DK I think I have found bug in orion 1.5.2. DK There is problem with sessions. When I invalidate session and then get new DK session, sometimes (not always) I get same invalidated session. DK Does anybody have same problem? Any solution except that I remove all data DK from session? DK Thanks in advance. DK Here is code that demonstrates bug: DK session = request.getSession(true); DK System.out.println(session = request.getSession(false);\t + DK session.hashCode()); DK System.out.println(session = + session); DK session.invalidate(); DK System.out.println(session.invalidate();\t + session.hashCode()); DK System.out.println(session = + session); DK session = request.getSession(); DK System.out.println(session = request.getSession();\t + DK session.hashCode()); DK System.out.println(session = + session); DK Orion's output: DK session = request.getSession();2935133 DK session = HTTP Session AKAEMHOGAJOD DK session.invalidate(); 2935133 DK session = HTTP Session AKAEMHOGAJOD DK session = request.getSession(); 2935133 DK session = HTTP Session AKAEMHOGAJOD DK Exception is DK java.lang.IllegalStateException: Session was invalidated DK at com.evermind.server.http.EvermindHttpSession.setAttribute(Unknown DK Source) DK at DK isvu.kadrovska.web.command.LoginCommand.execute(LoginCommand.java:161) DK at isvu.kadrovska.web.Kadrovska.doPost(Kadrovska.java:183) DK at javax.servlet.http.HttpServlet.service(HttpServlet.java:211) DK at javax.servlet.http.HttpServlet.service(HttpServlet.java:309) DK at javax.servlet.http.HttpServlet.service(HttpServlet.java:336) DK at com.evermind._cxb._abe(Unknown Source) DK at com.evermind._cxb._uec(Unknown Source) DK at com.evermind._io._twc(Unknown Source) DK at com.evermind._io._gc(Unknown Source) DK at com.evermind._if.run(Unknown Source) Best regards, Rafaelmailto:[EMAIL PROTECTED]
RE: session bug
I was also having same problem but it is not always only sometime. If any one find solution please let me know Thanks Ritesh -Original Message- From: Denis Kranjcec [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 9:45 AM To: Orion-Interest Subject: session bug Hello everyone! I think I have found bug in orion 1.5.2. There is problem with sessions. When I invalidate session and then get new session, sometimes (not always) I get same invalidated session. Does anybody have same problem? Any solution except that I remove all data from session? Thanks in advance. Here is code that demonstrates bug: session = request.getSession(true); System.out.println("session = request.getSession(false);\t" + session.hashCode()); System.out.println("session = " + session); session.invalidate(); System.out.println("session.invalidate();\t" + session.hashCode()); System.out.println("session = " + session); session = request.getSession(); System.out.println("session = request.getSession();\t" + session.hashCode()); System.out.println("session = " + session); Orion's output: session = request.getSession();2935133 session = HTTP Session AKAEMHOGAJOD session.invalidate(); 2935133 session = HTTP Session AKAEMHOGAJOD session = request.getSession(); 2935133 session = HTTP Session AKAEMHOGAJOD Exception is java.lang.IllegalStateException: Session was invalidated at com.evermind.server.http.EvermindHttpSession.setAttribute(Unknown Source) at isvu.kadrovska.web.command.LoginCommand.execute(LoginCommand.java:161) at isvu.kadrovska.web.Kadrovska.doPost(Kadrovska.java:183) at javax.servlet.http.HttpServlet.service(HttpServlet.java:211) at javax.servlet.http.HttpServlet.service(HttpServlet.java:309) at javax.servlet.http.HttpServlet.service(HttpServlet.java:336) at com.evermind._cxb._abe(Unknown Source) at com.evermind._cxb._uec(Unknown Source) at com.evermind._io._twc(Unknown Source) at com.evermind._io._gc(Unknown Source) at com.evermind._if.run(Unknown Source) With tomcat everything works OK. Tomcat's output: session = request.getSession();7616245 session = org.apache.tomcat.session.StandardSession@7436f5 session.invalidate(); 7616245 session = org.apache.tomcat.session.StandardSession@7436f5 session = request.getSession(); 4461550 session = org.apache.tomcat.session.StandardSession@4413ee Denis Kranjcec
Re: session bug
i have the same issue - Original Message - From: "Denis Kranjcec" [EMAIL PROTECTED] To: "Orion-Interest" [EMAIL PROTECTED] Sent: Tuesday, September 18, 2001 1:44 PM Subject: session bug Hello everyone! I think I have found bug in orion 1.5.2. There is problem with sessions. When I invalidate session and then get new session, sometimes (not always) I get same invalidated session. Does anybody have same problem? Any solution except that I remove all data from session? Thanks in advance. Here is code that demonstrates bug: session = request.getSession(true); System.out.println("session = request.getSession(false);\t" + session.hashCode()); System.out.println("session = " + session); session.invalidate(); System.out.println("session.invalidate();\t" + session.hashCode()); System.out.println("session = " + session); session = request.getSession(); System.out.println("session = request.getSession();\t" + session.hashCode()); System.out.println("session = " + session); Orion's output: session = request.getSession();2935133 session = HTTP Session AKAEMHOGAJOD session.invalidate(); 2935133 session = HTTP Session AKAEMHOGAJOD session = request.getSession(); 2935133 session = HTTP Session AKAEMHOGAJOD Exception is java.lang.IllegalStateException: Session was invalidated at com.evermind.server.http.EvermindHttpSession.setAttribute(Unknown Source) at isvu.kadrovska.web.command.LoginCommand.execute(LoginCommand.java:161) at isvu.kadrovska.web.Kadrovska.doPost(Kadrovska.java:183) at javax.servlet.http.HttpServlet.service(HttpServlet.java:211) at javax.servlet.http.HttpServlet.service(HttpServlet.java:309) at javax.servlet.http.HttpServlet.service(HttpServlet.java:336) at com.evermind._cxb._abe(Unknown Source) at com.evermind._cxb._uec(Unknown Source) at com.evermind._io._twc(Unknown Source) at com.evermind._io._gc(Unknown Source) at com.evermind._if.run(Unknown Source) With tomcat everything works OK. Tomcat's output: session = request.getSession();7616245 session = org.apache.tomcat.session.StandardSession@7436f5 session.invalidate(); 7616245 session = org.apache.tomcat.session.StandardSession@7436f5 session = request.getSession(); 4461550 session = org.apache.tomcat.session.StandardSession@4413ee Denis Kranjcec
RE: session bug
If I read your output correctly, your session object is still there in Tomcat after the invalidate; only when you do a new getSession() a new session ID is obtained. I have not read the spec on what the behaviour should be, but the required behaviour may only say that at the *next incoming request* the session object is not available any more. Anybody out there took a peek at the spec? --peter -Original Message- From: Denis Kranjcec [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 6:45 AM To: Orion-Interest Subject: session bug Hello everyone! I think I have found bug in orion 1.5.2. There is problem with sessions. When I invalidate session and then get new session, sometimes (not always) I get same invalidated session. Does anybody have same problem? Any solution except that I remove all data from session? Thanks in advance. Here is code that demonstrates bug: session = request.getSession(true); System.out.println("session = request.getSession(false);\t" + session.hashCode()); System.out.println("session = " + session); session.invalidate(); System.out.println("session.invalidate();\t" + session.hashCode()); System.out.println("session = " + session); session = request.getSession(); System.out.println("session = request.getSession();\t" + session.hashCode()); System.out.println("session = " + session); Orion's output: session = request.getSession();2935133 session = HTTP Session AKAEMHOGAJOD session.invalidate(); 2935133 session = HTTP Session AKAEMHOGAJOD session = request.getSession(); 2935133 session = HTTP Session AKAEMHOGAJOD Exception is java.lang.IllegalStateException: Session was invalidated at com.evermind.server.http.EvermindHttpSession.setAttribute(Unknown Source) at isvu.kadrovska.web.command.LoginCommand.execute(LoginCommand.java:161) at isvu.kadrovska.web.Kadrovska.doPost(Kadrovska.java:183) at javax.servlet.http.HttpServlet.service(HttpServlet.java:211) at javax.servlet.http.HttpServlet.service(HttpServlet.java:309) at javax.servlet.http.HttpServlet.service(HttpServlet.java:336) at com.evermind._cxb._abe(Unknown Source) at com.evermind._cxb._uec(Unknown Source) at com.evermind._io._twc(Unknown Source) at com.evermind._io._gc(Unknown Source) at com.evermind._if.run(Unknown Source) With tomcat everything works OK. Tomcat's output: session = request.getSession();7616245 session = org.apache.tomcat.session.StandardSession@7436f5 session.invalidate(); 7616245 session = org.apache.tomcat.session.StandardSession@7436f5 session = request.getSession(); 4461550 session = org.apache.tomcat.session.StandardSession@4413ee Denis Kranjcec
RE: session bug
I have reported an instance of this bug on Orion's bugzilla Bug #566 which still remains marked as 'New' well after 1 month, so I still have no feedback as to whether this is a bug or not. My login_form.jsp file has the purpose of invalidating the current session (to effectively logout any existing session), creating a new session, retrieving a 'brand' bean, and displaying an appropriate login form which utilizes some of the fields in the 'brand' bean (to determine colors and logo image location, etc). I use a JSP custom tag to handle the brand bean retrieval: HttpServletRequest request = (HttpServletRequest)pageContext.getRequest(); HttpSession session = request.getSession(); session.invalidate(); HttpSession newsession = request.getSession(true); // code to retrieve the brandbean omitted to reduce the clutter session.setAttribute(brand,brandbean); My JSP code for login_form.jsp contains this excerpt: mytags:newuser / jsp:useBean id=brand scope=session type=com.mycompany.beans.BrandBean/ The resulting output when trying to access the page is as follows: java.lang.IllegalStateException: Session was invalidated at com.evermind[Orion/1.5.2 (build 10460)].server.http.EvermindHttpSession.getAttribute(Unknown Source) at /login_form.jsp._jspService(/login_form.jsp.java:58) // additional inconsequential stacktrace omitted. It is obvious here that the object reference used to access the session scope from the useBean tag has grown stale and is not effected by calls to the request object's getSession(boolean) method. A secondary issue is that the actual Session ID does not change when a new session is requested. I would like this to take place as well if it is possible. Does anyone have any suggestion of what I can implement without creating nasty scriptlet code or otherwise significantly altering my control flow? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of The elephantwalker Sent: Tuesday, September 18, 2001 3:11 PM To: Orion-Interest Subject: RE: session bug Rafael, This won't work reliably on a post request, because the session management also depends on cookies. In order to make sure you get a new session, you will need to put in something like this (only for post request): session.invalidate() session = request.getSession(true); if(!session.getNew()) response.sendRedirect(/logout); This will work about 99% of the time...whereas if you just do session.invalidate(), session=request.getSession(true) it won't work in a post request. Regards, the elephantwalker -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rafael Alvarez Sent: Tuesday, September 18, 2001 11:00 AM To: Orion-Interest Subject: Re: session bug Hello Denis, Try doing this: session = request.getSession(true); System.out.println(session = request.getSession(false);\t + session.hashCode()); System.out.println(session = + session); session.invalidate(); System.out.println(session.invalidate();\t + session.hashCode()); System.out.println(session = + session); session = request.getSession(true); System.out.println(session = request.getSession();\t + session.hashCode()); System.out.println(session = + session); That way you'll get a new session after the session is invalidated. The problem arises because the session object that is associated with the request object is the invalidated one until you create a new session, either by a new hit in the page/servlet or by using request.getSession(true). Tuesday, September 18, 2001, 9:44:52 AM, you wrote: DK Hello everyone! DK I think I have found bug in orion 1.5.2. DK There is problem with sessions. When I invalidate session and then get new DK session, sometimes (not always) I get same invalidated session. DK Does anybody have same problem? Any solution except that I remove all data DK from session? DK Thanks in advance. DK Here is code that demonstrates bug: DK session = request.getSession(true); DK System.out.println(session = request.getSession(false);\t + DK session.hashCode()); DK System.out.println(session = + session); DK session.invalidate(); DK System.out.println(session.invalidate();\t + session.hashCode()); DK System.out.println(session = + session); DK session = request.getSession(); DK System.out.println(session = request.getSession();\t + DK session.hashCode()); DK System.out.println(session = + session); DK Orion's output: DK session = request.getSession();2935133 DK session = HTTP Session AKAEMHOGAJOD DK session.invalidate(); 2935133 DK session = HTTP Session AKAEMHOGAJOD DK session = request.getSession(); 2935133 DK session = HTTP Session AKAEMHOGAJOD DK Exception is DK java.lang.IllegalStateException: Session was invalidated DK at com.evermind.server.http.EvermindHttpSession.setAttribute(Unknown DK Source) DK at DK isvu.kadrovska.web.command.LoginCommand.execute(LoginCommand.java:161) DK
RE: session bug
We had exactly the same problem. If you click on a link to a servlet (thats a get method), and the servlet cleans up the session (session.invalidate(), session = request.getSession(true),) and then forwards to a logout.html or logout.jsp...no problem, the new session is created. If you click on a form submit, with the method post, and the servlets does its form thing, and then does a session.invalidate(), session.getSession(true), and then forwards to the logout.html our logout.jsp...the session is not invalidated. We know this, because if you check the getRemoteUser, its still the old bastard, and not the new guest. However, if you put a double pump in the jsp, that is a ifInRole(old bastards) response.redirect(/logout), where the /logout servlet again tries to session.invalidate(), session.getSession(true) and back to the logout.jsp...it works. The only difference between the two methods in the spec is how cookies are handled. The redirect garantees that the cookie is reloaded. Get works with a forward after you invalidate a session Post only works with a redirect after you invalidate a session. This sounds like either a bug, or the spec treats cookies under Get and Post differently, since Orion uses cookie's to keep session id's by default (url rewritting is only used when cookies are not used by the client). regards, the elephantwalker -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tom Bruser Sent: Tuesday, September 18, 2001 5:24 PM To: Orion-Interest Subject: RE: session bug I have reported an instance of this bug on Orion's bugzilla Bug #566 which still remains marked as 'New' well after 1 month, so I still have no feedback as to whether this is a bug or not. My login_form.jsp file has the purpose of invalidating the current session (to effectively logout any existing session), creating a new session, retrieving a 'brand' bean, and displaying an appropriate login form which utilizes some of the fields in the 'brand' bean (to determine colors and logo image location, etc). I use a JSP custom tag to handle the brand bean retrieval: HttpServletRequest request = (HttpServletRequest)pageContext.getRequest(); HttpSession session = request.getSession(); session.invalidate(); HttpSession newsession = request.getSession(true); // code to retrieve the brandbean omitted to reduce the clutter session.setAttribute(brand,brandbean); My JSP code for login_form.jsp contains this excerpt: mytags:newuser / jsp:useBean id=brand scope=session type=com.mycompany.beans.BrandBean/ The resulting output when trying to access the page is as follows: java.lang.IllegalStateException: Session was invalidated at com.evermind[Orion/1.5.2 (build 10460)].server.http.EvermindHttpSession.getAttribute(Unknown Source) at /login_form.jsp._jspService(/login_form.jsp.java:58) // additional inconsequential stacktrace omitted. It is obvious here that the object reference used to access the session scope from the useBean tag has grown stale and is not effected by calls to the request object's getSession(boolean) method. A secondary issue is that the actual Session ID does not change when a new session is requested. I would like this to take place as well if it is possible. Does anyone have any suggestion of what I can implement without creating nasty scriptlet code or otherwise significantly altering my control flow? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of The elephantwalker Sent: Tuesday, September 18, 2001 3:11 PM To: Orion-Interest Subject: RE: session bug Rafael, This won't work reliably on a post request, because the session management also depends on cookies. In order to make sure you get a new session, you will need to put in something like this (only for post request): session.invalidate() session = request.getSession(true); if(!session.getNew()) response.sendRedirect(/logout); This will work about 99% of the time...whereas if you just do session.invalidate(), session=request.getSession(true) it won't work in a post request. Regards, the elephantwalker -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rafael Alvarez Sent: Tuesday, September 18, 2001 11:00 AM To: Orion-Interest Subject: Re: session bug Hello Denis, Try doing this: session = request.getSession(true); System.out.println(session = request.getSession(false);\t + session.hashCode()); System.out.println(session = + session); session.invalidate(); System.out.println(session.invalidate();\t + session.hashCode()); System.out.println(session = + session); session = request.getSession(true); System.out.println(session = request.getSession();\t + session.hashCode()); System.out.println(session = + session); That way you'll get a new session after the session is invalidated. The problem arises because the session object that is associated with the request object is the invalidated one