RE: invalid sessions
Is really a pain in the ass have a brand new session when the session is dead. Would be great have a session.isNewBecauseTheOldIsDead() -Original Message- From: Asensio, Rodrigo [mailto:[EMAIL PROTECTED] Sent: Monday, December 18, 2006 12:52 PM To: Tomcat Users List Subject: invalid sessions Hi guys, Im trying to reject users whose sessions was invalidated (in purpose because a logout or timeout) But I found that there is not logic combination in the session valid or invalid methods. Case 1 First request Session.isNew() TRUE Request.isRequestedSessionIdValid() FALSE We can say that this is ok because you are still not authenticated. Case 2 Session timeout Next request will be Session.isNew() TRUE because creates a new session Request.isRequestedSessionIdValid() FALSE The funny thing is if I request the session with create in false, it always returns an object Request.getSession(false) != null ALWAYS in this case. I have no way to verify if the session was invalidated by a timeout. I made a listener and put the invalid session in the DB but I have no way to identify because When a client comes back from a invalid session, it creates a new one. Do you know any way ? Thanks Rodrigo --- Rodrigo Asensio Fuel Management Services Gilbarco Veeder Root phone: +1 336 547 5023 email: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] (~'~~'~~'~~) || || | ~|~ |---()) (_) || || ''.. | |'..'---_/\ /''---|| /\ / \\\/\/ | \ / \_/ | \/\\| \ This message (including any attachments) contains confidential and/or proprietary information intended only for the addressee. Any unauthorized disclosure, copying, distribution or reliance on the contents of this information is strictly prohibited and may constitute a violation of law. If you are not the intended recipient, please notify the sender immediately by responding to this e-mail, and delete the message from your system. If you have any questions about this e-mail please notify the sender immediately. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This message (including any attachments) contains confidential and/or proprietary information intended only for the addressee. Any unauthorized disclosure, copying, distribution or reliance on the contents of this information is strictly prohibited and may constitute a violation of law. If you are not the intended recipient, please notify the sender immediately by responding to this e-mail, and delete the message from your system. If you have any questions about this e-mail please notify the sender immediately. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: invalid sessions
I check for invalidated sessions (timeout) the following way:
if (! lRequest.isRequestedSessionIdValid()
lRequest.getRequestedSessionId() != null) {
log.debug(session expired);
} else {
log.debug(the normal way);
}
regards,
Veit
Asensio, Rodrigo schrieb:
Hi guys, Im trying to reject users whose sessions was invalidated (in
purpose because a logout or timeout)
But I found that there is not logic combination in the session valid or
invalid methods.
Case 1
First request
Session.isNew() TRUE
Request.isRequestedSessionIdValid() FALSE
We can say that this is ok because you are still not authenticated.
Case 2
Session timeout
Next request will be
Session.isNew() TRUE because creates a new session
Request.isRequestedSessionIdValid() FALSE
The funny thing is if I request the session with create in false, it
always returns an object
Request.getSession(false) != null ALWAYS in this case.
I have no way to verify if the session was invalidated by a timeout.
I made a listener and put the invalid session in the DB but I have no
way to identify because
When a client comes back from a invalid session, it creates a new one.
Do you know any way ?
Thanks
Rodrigo
---
Rodrigo Asensio
Fuel Management Services
Gilbarco Veeder Root
phone: +1 336 547 5023
email: [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
(~'~~'~~'~~)
||
||
| ~|~
|---())
(_)
||
||
''.. |
|'..'---_/\
/''---|| /\
/ \\\/\/
| \ / \_/
| \/\\| \
This message (including any attachments) contains confidential
and/or proprietary information intended only for the addressee.
Any unauthorized disclosure, copying, distribution or reliance on
the contents of this information is strictly prohibited and may
constitute a violation of law. If you are not the intended
recipient, please notify the sender immediately by responding to
this e-mail, and delete the message from your system. If you
have any questions about this e-mail please notify the sender
immediately.
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: invalid sessions
I saw that method and I read this.
Case brand new session
Session.getId() has some value
Request.getRequestedSessionId() is null because the browser is not
trying to reach some particular session
Case expired session
Session.getId() is different from Request.getRequestedSessionId()
Because the browser is trying to reach a session that is not longer
available and the session.getSession() has
Created a brand new session
In this case, for sure, your session has expired.
Is so difficult wrap this 2 methods in a isSessionExpired() ?
Wtf!
Now, we also have to be aware for security browser settings.
Thanks !
-Original Message-
From: Veit Guna [mailto:[EMAIL PROTECTED]
Sent: Monday, December 18, 2006 2:28 PM
To: Tomcat Users List
Subject: Re: invalid sessions
I check for invalidated sessions (timeout) the following way:
if (! lRequest.isRequestedSessionIdValid()
lRequest.getRequestedSessionId() != null) {
log.debug(session expired);
} else {
log.debug(the normal way);
}
regards,
Veit
Asensio, Rodrigo schrieb:
Hi guys, Im trying to reject users whose sessions was invalidated (in
purpose because a logout or timeout) But I found that there is not
logic combination in the session valid or invalid methods.
Case 1
First request
Session.isNew() TRUE
Request.isRequestedSessionIdValid() FALSE
We can say that this is ok because you are still not authenticated.
Case 2
Session timeout
Next request will be
Session.isNew() TRUE because creates a new session
Request.isRequestedSessionIdValid() FALSE
The funny thing is if I request the session with create in false, it
always returns an object
Request.getSession(false) != null ALWAYS in this case.
I have no way to verify if the session was invalidated by a timeout.
I made a listener and put the invalid session in the DB but I have no
way to identify because When a client comes back from a invalid
session, it creates a new one.
Do you know any way ?
Thanks
Rodrigo
---
Rodrigo Asensio
Fuel Management Services
Gilbarco Veeder Root
phone: +1 336 547 5023
email: [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
(~'~~'~~'~~)
||
||
| ~|~
|---())
(_)
||
||
''.. |
|'..'---_/\
/''---|| /\
/ \\\/\/
| \ / \_/
| \/\\| \
This message (including any attachments) contains confidential and/or
proprietary information intended only for the addressee.
Any unauthorized disclosure, copying, distribution or reliance on the
contents of this information is strictly prohibited and may constitute
a violation of law. If you are not the intended recipient, please
notify the sender immediately by responding to this e-mail, and delete
the message from your system. If you have any questions about this
e-mail please notify the sender immediately.
-
To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
This message (including any attachments) contains confidential
and/or proprietary information intended only for the addressee.
Any unauthorized disclosure, copying, distribution or reliance on
the contents of this information is strictly prohibited and may
constitute a violation of law. If you are not the intended
recipient, please notify the sender immediately by responding to
this e-mail, and delete the message from your system. If you
have any questions about this e-mail please notify the sender
immediately.
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
