Problem with invalidating a session

2003-01-08 Thread Ralph Einfeldt 

I have following little jsp:

htmlheadtitle/title/headbody
%

  // Stripped down to the bare minimum. In the real life
  // this is intended to happen only on specific conditions
  session.invalidate();
  session = request.getSession(true);

  // Now there is a new session
  session.putValue(Test, Test);

%jsp:useBean
   id=testbean
   class=java.lang.String
   scope=session
/
Some Content (Only reached with Scope != session)
/body/html

The useBean with scope session fails as the pageContext
holds a reference to the invalidated session.
That causes tomcat to throw a IllegalStateException:
getAttribute: Session already invalidated

Although I quite understand why this happens, I couldn't find
in the 1.2 Spec anything that denies this kind of usage.

Is the spec just not precise enough or am I to blind to see it ?

Has anybody a solution to work around this problem beside using 
a response.redirect() directly after invalidating the session?

BTW: Please don't shout 'Do not use scriptlets in jsps', the
code has to run in a jsp engine that doesn't support taglibs 
and filters. 



--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]

Re: Problem with invalidating a session

2003-01-08 Thread Tim Funk 
From the Servlet 2.3 Spec. (Some info snipped for brevity)

HttpSerlvetRequest.getSession(boolean)
Returns the current HttpSession associated with this request or, if if 
there is no current session and create is true, returns a new session. 
Parameters:
codetrue/code - to create a new session for this request if 
necessary; false to return null if there’s no current session
Returns: the HttpSession associated with this request or null if create 
is false and the request has no valid session

HttpSession.setAttribute(String, Object)
Throws: IllegalStateException - if this method is called on an 
invalidated session


Your code invalidates the session. getSession(true) is returning a 
reference to session you just the invalidated. There is no way to 
retrieve a new session. This behavior is correct for 
getSession(boolean) since a HttpSession is already been bound to the 
request. Since you invalidated it, the session becomes worthless. At 
that point, issuing a sendRedirect needs to be done to issue a new 
browser request to obtain a new session.

My main point is getSession(true) must return a HttpSession. There is 
nothing in the spec that states if a session becomes invalidated during 
the life of a request, that getSession(true) must return a new session.

-Tim

Ralph Einfeldt wrote:
I have following little jsp:

htmlheadtitle/title/headbody
%

  // Stripped down to the bare minimum. In the real life
  // this is intended to happen only on specific conditions
  session.invalidate();
  session = request.getSession(true);

  // Now there is a new session
  session.putValue(Test, Test);

%jsp:useBean
   id=testbean
   class=java.lang.String
   scope=session
/
Some Content (Only reached with Scope != session)
/body/html

The useBean with scope session fails as the pageContext
holds a reference to the invalidated session.
That causes tomcat to throw a IllegalStateException:
getAttribute: Session already invalidated

Although I quite understand why this happens, I couldn't find
in the 1.2 Spec anything that denies this kind of usage.

Is the spec just not precise enough or am I to blind to see it ?

Has anybody a solution to work around this problem beside using 
a response.redirect() directly after invalidating the session?

BTW: Please don't shout 'Do not use scriptlets in jsps', the
code has to run in a jsp engine that doesn't support taglibs 
and filters. 



--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]





--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]

RE: Problem with invalidating a session

2003-01-08 Thread Ralph Einfeldt 
See below:

 -Original Message-
 From: Tim Funk [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, January 08, 2003 2:14 PM
 To: Tomcat Users List
 Subject: Re: Problem with invalidating a session

 Your code invalidates the session. getSession(true) is returning a 
 reference to session you just the invalidated.

No it's a new session. (getId() returns a different value)

If that would be the problem the exception would already be
thrown in 'session.putValue(Test, Test)', but it is thrown
in PageContextImpl.getAttribute() (which part of the generated 
code for use bean) if the scope of the bean is session.

The real problem is, that pageContext has still a reference
the the invalidated session.

 My main point is getSession(true) must return a HttpSession. There is 
 nothing in the spec that states if a session becomes invalidated 
 during the life of a request, that getSession(true) must return a 
 new session.

Here you have a point. I have read this in an older spec:

HttpSession getSession(boolean create)

 Gets the current valid session associated with this request...

Note the additional word 'valid'. This lead me to the conclusion
it would create a session after the current session is invalidated.
As two implementations (tomcat and gnujsp) behave in that way I 
didn't look in the current servlet spec to verify that.

So to be realy spec compliant I have to omit that solution :{.

--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]

RE: Problem with invalidating a session

2003-01-08 Thread Craig R. McClanahan 


On Wed, 8 Jan 2003, Ralph Einfeldt wrote:

 Date: Wed, 8 Jan 2003 14:53:22 +0100
 From: Ralph Einfeldt [EMAIL PROTECTED]
 Reply-To: Tomcat Users List [EMAIL PROTECTED]
 To: Tomcat Users List [EMAIL PROTECTED]
 Subject: RE: Problem with invalidating a session

 See below:

  -Original Message-
  From: Tim Funk [mailto:[EMAIL PROTECTED]]
  Sent: Wednesday, January 08, 2003 2:14 PM
  To: Tomcat Users List
  Subject: Re: Problem with invalidating a session

  Your code invalidates the session. getSession(true) is returning a
  reference to session you just the invalidated.

 No it's a new session. (getId() returns a different value)


As it should be.

 If that would be the problem the exception would already be
 thrown in 'session.putValue(Test, Test)', but it is thrown
 in PageContextImpl.getAttribute() (which part of the generated
 code for use bean) if the scope of the bean is session.

 The real problem is, that pageContext has still a reference
 the the invalidated session.


This is an issue only for JSP pages -- the PageContext implementation
variable's contents (and the local scripting variable session) are only
synchronized with reality at the beginning of the page (plus the extra
synchronization that happens for attributes at the beginning and ending of
tags, but that doesn't solve your problem.

If you want to switch sessions in the middle of a request, do it in a
servlet, not a JSP page.

More generally, if you want to do business logic in the middle of a
request, do it in a servlet not in a JSP page :-).  You will find MVC
frameworks like Struts http://jakarta.apache.org/struts/ make this an
easy thing to set up.

Craig


--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]