Problem with invalidating a session
I have following little jsp: htmlheadtitle/title/headbody % // Stripped down to the bare minimum. In the real life // this is intended to happen only on specific conditions session.invalidate(); session = request.getSession(true); // Now there is a new session session.putValue(Test, Test); %jsp:useBean id=testbean class=java.lang.String scope=session / Some Content (Only reached with Scope != session) /body/html The useBean with scope session fails as the pageContext holds a reference to the invalidated session. That causes tomcat to throw a IllegalStateException: getAttribute: Session already invalidated Although I quite understand why this happens, I couldn't find in the 1.2 Spec anything that denies this kind of usage. Is the spec just not precise enough or am I to blind to see it ? Has anybody a solution to work around this problem beside using a response.redirect() directly after invalidating the session? BTW: Please don't shout 'Do not use scriptlets in jsps', the code has to run in a jsp engine that doesn't support taglibs and filters. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Problem with invalidating a session
From the Servlet 2.3 Spec. (Some info snipped for brevity) HttpSerlvetRequest.getSession(boolean) Returns the current HttpSession associated with this request or, if if there is no current session and create is true, returns a new session. Parameters: codetrue/code - to create a new session for this request if necessary; false to return null if theres no current session Returns: the HttpSession associated with this request or null if create is false and the request has no valid session HttpSession.setAttribute(String, Object) Throws: IllegalStateException - if this method is called on an invalidated session Your code invalidates the session. getSession(true) is returning a reference to session you just the invalidated. There is no way to retrieve a new session. This behavior is correct for getSession(boolean) since a HttpSession is already been bound to the request. Since you invalidated it, the session becomes worthless. At that point, issuing a sendRedirect needs to be done to issue a new browser request to obtain a new session. My main point is getSession(true) must return a HttpSession. There is nothing in the spec that states if a session becomes invalidated during the life of a request, that getSession(true) must return a new session. -Tim Ralph Einfeldt wrote: I have following little jsp: htmlheadtitle/title/headbody % // Stripped down to the bare minimum. In the real life // this is intended to happen only on specific conditions session.invalidate(); session = request.getSession(true); // Now there is a new session session.putValue(Test, Test); %jsp:useBean id=testbean class=java.lang.String scope=session / Some Content (Only reached with Scope != session) /body/html The useBean with scope session fails as the pageContext holds a reference to the invalidated session. That causes tomcat to throw a IllegalStateException: getAttribute: Session already invalidated Although I quite understand why this happens, I couldn't find in the 1.2 Spec anything that denies this kind of usage. Is the spec just not precise enough or am I to blind to see it ? Has anybody a solution to work around this problem beside using a response.redirect() directly after invalidating the session? BTW: Please don't shout 'Do not use scriptlets in jsps', the code has to run in a jsp engine that doesn't support taglibs and filters. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Problem with invalidating a session
See below: -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 08, 2003 2:14 PM To: Tomcat Users List Subject: Re: Problem with invalidating a session Your code invalidates the session. getSession(true) is returning a reference to session you just the invalidated. No it's a new session. (getId() returns a different value) If that would be the problem the exception would already be thrown in 'session.putValue(Test, Test)', but it is thrown in PageContextImpl.getAttribute() (which part of the generated code for use bean) if the scope of the bean is session. The real problem is, that pageContext has still a reference the the invalidated session. My main point is getSession(true) must return a HttpSession. There is nothing in the spec that states if a session becomes invalidated during the life of a request, that getSession(true) must return a new session. Here you have a point. I have read this in an older spec: HttpSession getSession(boolean create) Gets the current valid session associated with this request... Note the additional word 'valid'. This lead me to the conclusion it would create a session after the current session is invalidated. As two implementations (tomcat and gnujsp) behave in that way I didn't look in the current servlet spec to verify that. So to be realy spec compliant I have to omit that solution :{. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Problem with invalidating a session
On Wed, 8 Jan 2003, Ralph Einfeldt wrote: Date: Wed, 8 Jan 2003 14:53:22 +0100 From: Ralph Einfeldt [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: RE: Problem with invalidating a session See below: -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 08, 2003 2:14 PM To: Tomcat Users List Subject: Re: Problem with invalidating a session Your code invalidates the session. getSession(true) is returning a reference to session you just the invalidated. No it's a new session. (getId() returns a different value) As it should be. If that would be the problem the exception would already be thrown in 'session.putValue(Test, Test)', but it is thrown in PageContextImpl.getAttribute() (which part of the generated code for use bean) if the scope of the bean is session. The real problem is, that pageContext has still a reference the the invalidated session. This is an issue only for JSP pages -- the PageContext implementation variable's contents (and the local scripting variable session) are only synchronized with reality at the beginning of the page (plus the extra synchronization that happens for attributes at the beginning and ending of tags, but that doesn't solve your problem. If you want to switch sessions in the middle of a request, do it in a servlet, not a JSP page. More generally, if you want to do business logic in the middle of a request, do it in a servlet not in a JSP page :-). You will find MVC frameworks like Struts http://jakarta.apache.org/struts/ make this an easy thing to set up. Craig -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]