Re: session bug

2001-09-18 Thread Rafael Alvarez

Hello Denis,
Try doing this:
session = request.getSession(true);
System.out.println(session = request.getSession(false);\t +
session.hashCode());
System.out.println(session =  + session);
session.invalidate();
System.out.println(session.invalidate();\t + session.hashCode());
System.out.println(session =  + session);
session = request.getSession(true);
System.out.println(session = request.getSession();\t +
session.hashCode());
System.out.println(session =  + session);

That way you'll get a new session after the session is invalidated.
The problem arises because the session object that is associated with
the request object is the invalidated one until you create a new
session, either by a new hit in the page/servlet or by using
request.getSession(true).


Tuesday, September 18, 2001, 9:44:52 AM, you wrote:

DK Hello everyone!

DK I think I have found bug in orion 1.5.2.
DK There is problem with sessions. When I invalidate session and then get new
DK session, sometimes (not always) I get same invalidated session.
DK Does anybody have same problem? Any solution except that I remove all data
DK from session?
DK Thanks in advance.


DK Here is code that demonstrates bug:

DK session = request.getSession(true);
DK System.out.println(session = request.getSession(false);\t +
DK session.hashCode());
DK System.out.println(session =  + session);
DK session.invalidate();
DK System.out.println(session.invalidate();\t + session.hashCode());
DK System.out.println(session =  + session);
DK session = request.getSession();
DK System.out.println(session = request.getSession();\t +
DK session.hashCode());
DK System.out.println(session =  + session);


DK Orion's output:

DK session = request.getSession();2935133
DK session = HTTP Session AKAEMHOGAJOD
DK session.invalidate();   2935133
DK session = HTTP Session AKAEMHOGAJOD
DK session = request.getSession(); 2935133
DK session = HTTP Session AKAEMHOGAJOD

DK Exception is
DK java.lang.IllegalStateException: Session was invalidated
DK at com.evermind.server.http.EvermindHttpSession.setAttribute(Unknown
DK Source)
DK at
DK isvu.kadrovska.web.command.LoginCommand.execute(LoginCommand.java:161)
DK at isvu.kadrovska.web.Kadrovska.doPost(Kadrovska.java:183)
DK at javax.servlet.http.HttpServlet.service(HttpServlet.java:211)
DK at javax.servlet.http.HttpServlet.service(HttpServlet.java:309)
DK at javax.servlet.http.HttpServlet.service(HttpServlet.java:336)
DK at com.evermind._cxb._abe(Unknown Source)
DK at com.evermind._cxb._uec(Unknown Source)
DK at com.evermind._io._twc(Unknown Source)
DK at com.evermind._io._gc(Unknown Source)
DK at com.evermind._if.run(Unknown Source)



Best regards,
 Rafaelmailto:[EMAIL PROTECTED]






RE: session bug

2001-09-18 Thread The elephantwalker

Rafael,

This won't work reliably on  a post request, because the session management
also depends on cookies. In order to make sure you get a new session, you
will need to put in something like this (only for post request):

session.invalidate()
session = request.getSession(true);

if(!session.getNew()) response.sendRedirect(/logout);

This will work about 99% of the time...whereas if you just do
session.invalidate(), session=request.getSession(true) it won't work in a
post request.

Regards,

the elephantwalker


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Rafael Alvarez
Sent: Tuesday, September 18, 2001 11:00 AM
To: Orion-Interest
Subject: Re: session bug


Hello Denis,
Try doing this:
session = request.getSession(true);
System.out.println(session = request.getSession(false);\t +
session.hashCode());
System.out.println(session =  + session);
session.invalidate();
System.out.println(session.invalidate();\t + session.hashCode());
System.out.println(session =  + session);
session = request.getSession(true);
System.out.println(session = request.getSession();\t +
session.hashCode());
System.out.println(session =  + session);

That way you'll get a new session after the session is invalidated.
The problem arises because the session object that is associated with
the request object is the invalidated one until you create a new
session, either by a new hit in the page/servlet or by using
request.getSession(true).


Tuesday, September 18, 2001, 9:44:52 AM, you wrote:

DK Hello everyone!

DK I think I have found bug in orion 1.5.2.
DK There is problem with sessions. When I invalidate session and then get
new
DK session, sometimes (not always) I get same invalidated session.
DK Does anybody have same problem? Any solution except that I remove all
data
DK from session?
DK Thanks in advance.


DK Here is code that demonstrates bug:

DK session = request.getSession(true);
DK System.out.println(session = request.getSession(false);\t +
DK session.hashCode());
DK System.out.println(session =  + session);
DK session.invalidate();
DK System.out.println(session.invalidate();\t + session.hashCode());
DK System.out.println(session =  + session);
DK session = request.getSession();
DK System.out.println(session = request.getSession();\t +
DK session.hashCode());
DK System.out.println(session =  + session);


DK Orion's output:

DK session = request.getSession();2935133
DK session = HTTP Session AKAEMHOGAJOD
DK session.invalidate();   2935133
DK session = HTTP Session AKAEMHOGAJOD
DK session = request.getSession(); 2935133
DK session = HTTP Session AKAEMHOGAJOD

DK Exception is
DK java.lang.IllegalStateException: Session was invalidated
DK at
com.evermind.server.http.EvermindHttpSession.setAttribute(Unknown
DK Source)
DK at
DK isvu.kadrovska.web.command.LoginCommand.execute(LoginCommand.java:161)
DK at isvu.kadrovska.web.Kadrovska.doPost(Kadrovska.java:183)
DK at javax.servlet.http.HttpServlet.service(HttpServlet.java:211)
DK at javax.servlet.http.HttpServlet.service(HttpServlet.java:309)
DK at javax.servlet.http.HttpServlet.service(HttpServlet.java:336)
DK at com.evermind._cxb._abe(Unknown Source)
DK at com.evermind._cxb._uec(Unknown Source)
DK at com.evermind._io._twc(Unknown Source)
DK at com.evermind._io._gc(Unknown Source)
DK at com.evermind._if.run(Unknown Source)



Best regards,
 Rafaelmailto:[EMAIL PROTECTED]







RE: session bug

2001-09-18 Thread Shah, Ritesh

I was also having same problem but it is not always only sometime.
If any one find solution please let me know

Thanks
Ritesh

-Original Message-
From: Denis Kranjcec [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 9:45 AM
To: Orion-Interest
Subject: session bug


Hello everyone!

I think I have found bug in orion 1.5.2.
There is problem with sessions. When I invalidate session and then get new
session, sometimes (not always) I get same invalidated session.
Does anybody have same problem? Any solution except that I remove all data
from session?
Thanks in advance.


Here is code that demonstrates bug:

session = request.getSession(true);
System.out.println("session = request.getSession(false);\t" +
session.hashCode());
System.out.println("session = " + session);
session.invalidate();
System.out.println("session.invalidate();\t" + session.hashCode());
System.out.println("session = " + session);
session = request.getSession();
System.out.println("session = request.getSession();\t" +
session.hashCode());
System.out.println("session = " + session);


Orion's output:

session = request.getSession();2935133
session = HTTP Session AKAEMHOGAJOD
session.invalidate();   2935133
session = HTTP Session AKAEMHOGAJOD
session = request.getSession(); 2935133
session = HTTP Session AKAEMHOGAJOD

Exception is
java.lang.IllegalStateException: Session was invalidated
at com.evermind.server.http.EvermindHttpSession.setAttribute(Unknown
Source)
at
isvu.kadrovska.web.command.LoginCommand.execute(LoginCommand.java:161)
at isvu.kadrovska.web.Kadrovska.doPost(Kadrovska.java:183)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:211)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:309)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:336)
at com.evermind._cxb._abe(Unknown Source)
at com.evermind._cxb._uec(Unknown Source)
at com.evermind._io._twc(Unknown Source)
at com.evermind._io._gc(Unknown Source)
at com.evermind._if.run(Unknown Source)


With tomcat everything works OK.
Tomcat's output:

session = request.getSession();7616245
session = org.apache.tomcat.session.StandardSession@7436f5
session.invalidate();   7616245
session = org.apache.tomcat.session.StandardSession@7436f5
session = request.getSession(); 4461550
session = org.apache.tomcat.session.StandardSession@4413ee



Denis Kranjcec





Re: session bug

2001-09-18 Thread Christian Meunier

i have the same issue


- Original Message -
From: "Denis Kranjcec" [EMAIL PROTECTED]
To: "Orion-Interest" [EMAIL PROTECTED]
Sent: Tuesday, September 18, 2001 1:44 PM
Subject: session bug


 Hello everyone!

 I think I have found bug in orion 1.5.2.
 There is problem with sessions. When I invalidate session and then get new
 session, sometimes (not always) I get same invalidated session.
 Does anybody have same problem? Any solution except that I remove all data
 from session?
 Thanks in advance.


 Here is code that demonstrates bug:

 session = request.getSession(true);
 System.out.println("session = request.getSession(false);\t" +
 session.hashCode());
 System.out.println("session = " + session);
 session.invalidate();
 System.out.println("session.invalidate();\t" + session.hashCode());
 System.out.println("session = " + session);
 session = request.getSession();
 System.out.println("session = request.getSession();\t" +
 session.hashCode());
 System.out.println("session = " + session);


 Orion's output:

 session = request.getSession();2935133
 session = HTTP Session AKAEMHOGAJOD
 session.invalidate();   2935133
 session = HTTP Session AKAEMHOGAJOD
 session = request.getSession(); 2935133
 session = HTTP Session AKAEMHOGAJOD

 Exception is
 java.lang.IllegalStateException: Session was invalidated
 at
com.evermind.server.http.EvermindHttpSession.setAttribute(Unknown
 Source)
 at
 isvu.kadrovska.web.command.LoginCommand.execute(LoginCommand.java:161)
 at isvu.kadrovska.web.Kadrovska.doPost(Kadrovska.java:183)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:211)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:309)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:336)
 at com.evermind._cxb._abe(Unknown Source)
 at com.evermind._cxb._uec(Unknown Source)
 at com.evermind._io._twc(Unknown Source)
 at com.evermind._io._gc(Unknown Source)
 at com.evermind._if.run(Unknown Source)


 With tomcat everything works OK.
 Tomcat's output:

 session = request.getSession();7616245
 session = org.apache.tomcat.session.StandardSession@7436f5
 session.invalidate();   7616245
 session = org.apache.tomcat.session.StandardSession@7436f5
 session = request.getSession(); 4461550
 session = org.apache.tomcat.session.StandardSession@4413ee



 Denis Kranjcec







RE: session bug

2001-09-18 Thread SAURUGGER,PETER (A-PaloAlto,ex2)

If I read your output correctly, your session object is still there in
Tomcat after the invalidate; only when you do a new getSession() a new
session ID is obtained. I have not read the spec on what the behaviour
should be, but the required behaviour may only say that at the *next
incoming request* the session object is not available any more.

Anybody out there took a peek at the spec?

--peter

-Original Message-
From: Denis Kranjcec [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 6:45 AM
To: Orion-Interest
Subject: session bug


Hello everyone!

I think I have found bug in orion 1.5.2.
There is problem with sessions. When I invalidate session and then get new
session, sometimes (not always) I get same invalidated session.
Does anybody have same problem? Any solution except that I remove all data
from session?
Thanks in advance.


Here is code that demonstrates bug:

session = request.getSession(true);
System.out.println("session = request.getSession(false);\t" +
session.hashCode());
System.out.println("session = " + session);
session.invalidate();
System.out.println("session.invalidate();\t" + session.hashCode());
System.out.println("session = " + session);
session = request.getSession();
System.out.println("session = request.getSession();\t" +
session.hashCode());
System.out.println("session = " + session);


Orion's output:

session = request.getSession();2935133
session = HTTP Session AKAEMHOGAJOD
session.invalidate();   2935133
session = HTTP Session AKAEMHOGAJOD
session = request.getSession(); 2935133
session = HTTP Session AKAEMHOGAJOD

Exception is
java.lang.IllegalStateException: Session was invalidated
at com.evermind.server.http.EvermindHttpSession.setAttribute(Unknown
Source)
at
isvu.kadrovska.web.command.LoginCommand.execute(LoginCommand.java:161)
at isvu.kadrovska.web.Kadrovska.doPost(Kadrovska.java:183)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:211)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:309)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:336)
at com.evermind._cxb._abe(Unknown Source)
at com.evermind._cxb._uec(Unknown Source)
at com.evermind._io._twc(Unknown Source)
at com.evermind._io._gc(Unknown Source)
at com.evermind._if.run(Unknown Source)


With tomcat everything works OK.
Tomcat's output:

session = request.getSession();7616245
session = org.apache.tomcat.session.StandardSession@7436f5
session.invalidate();   7616245
session = org.apache.tomcat.session.StandardSession@7436f5
session = request.getSession(); 4461550
session = org.apache.tomcat.session.StandardSession@4413ee



Denis Kranjcec





RE: session bug

2001-09-18 Thread Tom Bruser

I have reported an instance of this bug on Orion's bugzilla Bug #566 which
still remains marked as 'New' well after 1 month, so I still have no
feedback as to whether this is a bug or not.

My login_form.jsp file has the purpose of invalidating the current session
(to effectively logout any existing session), creating a new session,
retrieving a 'brand' bean, and displaying an appropriate login form which
utilizes some of the fields in the 'brand' bean (to determine colors and
logo image location, etc).

I use a JSP custom tag to handle the brand bean retrieval:

HttpServletRequest request = (HttpServletRequest)pageContext.getRequest();
HttpSession session = request.getSession();
session.invalidate();
HttpSession newsession = request.getSession(true);

// code to retrieve the brandbean omitted to reduce the clutter

session.setAttribute(brand,brandbean);


My JSP code for login_form.jsp contains this excerpt:

mytags:newuser /
jsp:useBean id=brand scope=session
type=com.mycompany.beans.BrandBean/

The resulting output when trying to access the page is as follows:

java.lang.IllegalStateException: Session was invalidated
at com.evermind[Orion/1.5.2 (build
10460)].server.http.EvermindHttpSession.getAttribute(Unknown Source)
at /login_form.jsp._jspService(/login_form.jsp.java:58)
// additional inconsequential stacktrace omitted.

It is obvious here that the object reference used to access the session
scope from the useBean tag has grown stale and is not effected by calls to
the request object's getSession(boolean) method.

A secondary issue is that the actual Session ID does not change when a new
session is requested.  I would like this to take place as well if it is
possible.  Does anyone have any suggestion of what I can implement without
creating nasty scriptlet code or otherwise significantly altering my control
flow?



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of The
elephantwalker
Sent: Tuesday, September 18, 2001 3:11 PM
To: Orion-Interest
Subject: RE: session bug


Rafael,

This won't work reliably on  a post request, because the session management
also depends on cookies. In order to make sure you get a new session, you
will need to put in something like this (only for post request):

session.invalidate()
session = request.getSession(true);

if(!session.getNew()) response.sendRedirect(/logout);

This will work about 99% of the time...whereas if you just do
session.invalidate(), session=request.getSession(true) it won't work in a
post request.

Regards,

the elephantwalker


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Rafael Alvarez
Sent: Tuesday, September 18, 2001 11:00 AM
To: Orion-Interest
Subject: Re: session bug


Hello Denis,
Try doing this:
session = request.getSession(true);
System.out.println(session = request.getSession(false);\t +
session.hashCode());
System.out.println(session =  + session);
session.invalidate();
System.out.println(session.invalidate();\t + session.hashCode());
System.out.println(session =  + session);
session = request.getSession(true);
System.out.println(session = request.getSession();\t +
session.hashCode());
System.out.println(session =  + session);

That way you'll get a new session after the session is invalidated.
The problem arises because the session object that is associated with
the request object is the invalidated one until you create a new
session, either by a new hit in the page/servlet or by using
request.getSession(true).


Tuesday, September 18, 2001, 9:44:52 AM, you wrote:

DK Hello everyone!

DK I think I have found bug in orion 1.5.2.
DK There is problem with sessions. When I invalidate session and then get
new
DK session, sometimes (not always) I get same invalidated session.
DK Does anybody have same problem? Any solution except that I remove all
data
DK from session?
DK Thanks in advance.


DK Here is code that demonstrates bug:

DK session = request.getSession(true);
DK System.out.println(session = request.getSession(false);\t +
DK session.hashCode());
DK System.out.println(session =  + session);
DK session.invalidate();
DK System.out.println(session.invalidate();\t + session.hashCode());
DK System.out.println(session =  + session);
DK session = request.getSession();
DK System.out.println(session = request.getSession();\t +
DK session.hashCode());
DK System.out.println(session =  + session);


DK Orion's output:

DK session = request.getSession();2935133
DK session = HTTP Session AKAEMHOGAJOD
DK session.invalidate();   2935133
DK session = HTTP Session AKAEMHOGAJOD
DK session = request.getSession(); 2935133
DK session = HTTP Session AKAEMHOGAJOD

DK Exception is
DK java.lang.IllegalStateException: Session was invalidated
DK at
com.evermind.server.http.EvermindHttpSession.setAttribute(Unknown
DK Source)
DK at
DK isvu.kadrovska.web.command.LoginCommand.execute(LoginCommand.java:161)
DK

RE: session bug

2001-09-18 Thread The elephantwalker

We had exactly the same problem. If you click on a link to a servlet (thats
a get method), and the servlet cleans up the session (session.invalidate(),
session = request.getSession(true),) and then forwards to a logout.html or
logout.jsp...no problem, the new session is created.

If you click on a form submit, with the method post, and the servlets does
its form thing, and then does a session.invalidate(),
session.getSession(true), and then forwards to the logout.html our
logout.jsp...the session is not invalidated. We know this, because if you
check the getRemoteUser, its still the old bastard, and not the new guest.

However, if you put a double pump in the jsp, that is a ifInRole(old
bastards) response.redirect(/logout), where the /logout servlet again
tries to session.invalidate(), session.getSession(true) and back to the
logout.jsp...it works.

The only difference between the two methods in the spec is how cookies are
handled. The redirect garantees that the cookie is reloaded.

Get works with a forward after you invalidate a session

Post only works with a redirect after you invalidate a session.

This sounds like either a bug, or the spec treats cookies under Get and Post
differently, since Orion uses cookie's to keep session id's by default (url
rewritting is only used when cookies are not used by the client).

regards,

the elephantwalker



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Tom Bruser
Sent: Tuesday, September 18, 2001 5:24 PM
To: Orion-Interest
Subject: RE: session bug


I have reported an instance of this bug on Orion's bugzilla Bug #566 which
still remains marked as 'New' well after 1 month, so I still have no
feedback as to whether this is a bug or not.

My login_form.jsp file has the purpose of invalidating the current session
(to effectively logout any existing session), creating a new session,
retrieving a 'brand' bean, and displaying an appropriate login form which
utilizes some of the fields in the 'brand' bean (to determine colors and
logo image location, etc).

I use a JSP custom tag to handle the brand bean retrieval:

HttpServletRequest request = (HttpServletRequest)pageContext.getRequest();
HttpSession session = request.getSession();
session.invalidate();
HttpSession newsession = request.getSession(true);

// code to retrieve the brandbean omitted to reduce the clutter

session.setAttribute(brand,brandbean);


My JSP code for login_form.jsp contains this excerpt:

mytags:newuser /
jsp:useBean id=brand scope=session
type=com.mycompany.beans.BrandBean/

The resulting output when trying to access the page is as follows:

java.lang.IllegalStateException: Session was invalidated
at com.evermind[Orion/1.5.2 (build
10460)].server.http.EvermindHttpSession.getAttribute(Unknown Source)
at /login_form.jsp._jspService(/login_form.jsp.java:58)
// additional inconsequential stacktrace omitted.

It is obvious here that the object reference used to access the session
scope from the useBean tag has grown stale and is not effected by calls to
the request object's getSession(boolean) method.

A secondary issue is that the actual Session ID does not change when a new
session is requested.  I would like this to take place as well if it is
possible.  Does anyone have any suggestion of what I can implement without
creating nasty scriptlet code or otherwise significantly altering my control
flow?



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of The
elephantwalker
Sent: Tuesday, September 18, 2001 3:11 PM
To: Orion-Interest
Subject: RE: session bug


Rafael,

This won't work reliably on  a post request, because the session management
also depends on cookies. In order to make sure you get a new session, you
will need to put in something like this (only for post request):

session.invalidate()
session = request.getSession(true);

if(!session.getNew()) response.sendRedirect(/logout);

This will work about 99% of the time...whereas if you just do
session.invalidate(), session=request.getSession(true) it won't work in a
post request.

Regards,

the elephantwalker


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Rafael Alvarez
Sent: Tuesday, September 18, 2001 11:00 AM
To: Orion-Interest
Subject: Re: session bug


Hello Denis,
Try doing this:
session = request.getSession(true);
System.out.println(session = request.getSession(false);\t +
session.hashCode());
System.out.println(session =  + session);
session.invalidate();
System.out.println(session.invalidate();\t + session.hashCode());
System.out.println(session =  + session);
session = request.getSession(true);
System.out.println(session = request.getSession();\t +
session.hashCode());
System.out.println(session =  + session);

That way you'll get a new session after the session is invalidated.
The problem arises because the session object that is associated with
the request object is the invalidated one