RE: Tomcat 4.1.18 session objects
Howdy, I was wondering why using sessions is unreliable for tracking users who are logged in, getting last accessed time, etc? I am too late to respond, as others (Will and Craig) have already pointed out a few ways in which session tracking as described in your original design is not 100% reliable. The session IDs for the same user will be different before/after persistence to disk, there are global across webapps so you're not tracking just the people logged on to your webapp, etc. I will, however, point out another reason: a client that chooses never to join a session. Per the spec, this is valid and the container is required to support it. Specifically from the HttpSession javadoc: A servlet should be able to handle cases in which the client does not choose to join a session, such as when cookies are intentionally turned off. Until the client joins the session, isNew returns true. If the client chooses not to join the session, getSession will return a different session on each request, and isNew will always return true. In such cases, the value of session tracking drops significantly. I don't know how commons such cases are: they may be very rare. Nonetheless, it's a possibility to consider. I didn't say using sessions is completely unreliable. But it's not 100% foolproof either, and depending on what you're using session tracking for, you may need 100% accuracy. For example, some systems charge users per online time. In those systems, the designer better have a method for tracking user online time that he/she can legally prove is always accurate. Yoav Shapira Millennium ChemInformatics This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat 4.1.18 session objects
Where can I find the changes list from Tomcat 4.0.x to Tomcat 4.1.x. Could someone answer 'session' question mentioned below | I moved my web appl from Tomcat 4.0.4 to Tomcat4.1.18. | For each user session I store the reference| to the session in a Vector so that I | can tell what users are logged-in, last-accessed-time etc. It was working fine | in Tomcat 4.0.4. But in Tomcat4.1.18 (perhaps due to new specifications) session | objects are pooled (StandardSessionFactory) and hence the references I | am storing in the Vector become useless across the jsp page calls. I have a | thread that uses this Vector to clean up the users that are timedout but since | the session refs in my Vector are useless I can do nothing. Instead of | storing the refs if I store Session IDs then can I get ref to a session from | JSP Server so that I can get the attributes I have set in it. Please comment. -- Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat 4.1.18 session objects
Howdy, Where can I find the changes list from Tomcat 4.0.x to Tomcat 4.1.x. Download any release of tomcat. Explode the distribution and you'll see a bunch of release notes files, one for each labeled release, detailing what's new in that release. | For each user session I store the reference| to the session in a Vector so that I | can tell what users are logged-in, last-accessed-time etc. It was working fine | in Tomcat 4.0.4. But in Tomcat4.1.18 (perhaps due to new specifications) session | objects are pooled (StandardSessionFactory) and hence the references I | am storing in the Vector become useless across the jsp page calls. I have a | thread that uses this Vector to clean up the users that are timedout but since | the session refs in my Vector are useless I can do nothing. Instead of | storing the refs if I store Session IDs then can I get ref to a session from | JSP Server so that I can get the attributes I have set in it. Please comment. Since you only asked for comments... There is no new specification regarding http servlet sessions from tomcat 4.0 to 4.1. It's still the servlet spec v2.3. Your design is vulnerable to any changes in the container session façade implementation. Note that the container is not required to provide you with a session list per se. I don't think using sessions to track who's logged in and last-access-time for resources is reliable. But if you want to do it that way, write an HttpSessionListener. It was created for these sort of session tracking things. Move your vector into that listener. Add a reference each time a session is created, remove it when a session is destroyed. Add whatever other functionality you need to the listener. Yoav Shapira Millennium ChemInformatics This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat 4.1.18 session objects
Hi Yoav, I was wondering why using sessions is unreliable for tracking users who are logged in, getting last accessed time, etc? I would have thought that storing all the current sessions in a Vector (or some other data structure) with a User object (storing all their relevant info) bound to each session would work well. What alternative would you suggest because the situation described by R.C.Nougain sounds very similar to what we have where I work. Cheers Greg Speechley -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Wednesday, 26 February 2003 12:46 AM To: Tomcat Users List Subject: RE: Tomcat 4.1.18 session objects Howdy, Where can I find the changes list from Tomcat 4.0.x to Tomcat 4.1.x. Download any release of tomcat. Explode the distribution and you'll see a bunch of release notes files, one for each labeled release, detailing what's new in that release. | For each user session I store the reference| to the session in a Vector so that I | can tell what users are logged-in, last-accessed-time etc. It was working fine | in Tomcat 4.0.4. But in Tomcat4.1.18 (perhaps due to new specifications) session | objects are pooled (StandardSessionFactory) and hence the references I | am storing in the Vector become useless across the jsp page calls. I have a | thread that uses this Vector to clean up the users that are timedout but since | the session refs in my Vector are useless I can do nothing. Instead of | storing the refs if I store Session IDs then can I get ref to a session from | JSP Server so that I can get the attributes I have set in it. Please comment. Since you only asked for comments... There is no new specification regarding http servlet sessions from tomcat 4.0 to 4.1. It's still the servlet spec v2.3. Your design is vulnerable to any changes in the container session façade implementation. Note that the container is not required to provide you with a session list per se. I don't think using sessions to track who's logged in and last-access-time for resources is reliable. But if you want to do it that way, write an HttpSessionListener. It was created for these sort of session tracking things. Move your vector into that listener. Add a reference each time a session is created, remove it when a session is destroyed. Add whatever other functionality you need to the listener. Yoav Shapira Millennium ChemInformatics This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat 4.1.18 session objects
sessions are designed exactly for that, tracking users. tomcat stores them for you, all you need is to store your user object in the session. Filip -Original Message- From: Greg Speechley [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 3:54 PM To: Tomcat Users List Subject: RE: Tomcat 4.1.18 session objects Hi Yoav, I was wondering why using sessions is unreliable for tracking users who are logged in, getting last accessed time, etc? I would have thought that storing all the current sessions in a Vector (or some other data structure) with a User object (storing all their relevant info) bound to each session would work well. What alternative would you suggest because the situation described by R.C.Nougain sounds very similar to what we have where I work. Cheers Greg Speechley -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Wednesday, 26 February 2003 12:46 AM To: Tomcat Users List Subject: RE: Tomcat 4.1.18 session objects Howdy, Where can I find the changes list from Tomcat 4.0.x to Tomcat 4.1.x. Download any release of tomcat. Explode the distribution and you'll see a bunch of release notes files, one for each labeled release, detailing what's new in that release. | For each user session I store the reference| to the session in a Vector so that I | can tell what users are logged-in, last-accessed-time etc. It was working fine | in Tomcat 4.0.4. But in Tomcat4.1.18 (perhaps due to new specifications) session | objects are pooled (StandardSessionFactory) and hence the references I | am storing in the Vector become useless across the jsp page calls. I have a | thread that uses this Vector to clean up the users that are timedout but since | the session refs in my Vector are useless I can do nothing. Instead of | storing the refs if I store Session IDs then can I get ref to a session from | JSP Server so that I can get the attributes I have set in it. Please comment. Since you only asked for comments... There is no new specification regarding http servlet sessions from tomcat 4.0 to 4.1. It's still the servlet spec v2.3. Your design is vulnerable to any changes in the container session façade implementation. Note that the container is not required to provide you with a session list per se. I don't think using sessions to track who's logged in and last-access-time for resources is reliable. But if you want to do it that way, write an HttpSessionListener. It was created for these sort of session tracking things. Move your vector into that listener. Add a reference each time a session is created, remove it when a session is destroyed. Add whatever other functionality you need to the listener. Yoav Shapira Millennium ChemInformatics This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 4.1.18 session objects
Another way to track users would be to use a filter mapped to all of the relevant resources in your webapp. When the request hits the filter, the filter checks the session to find out which user is making the request (assuming that you have bound a User object to the session as you described in your post below) and logs the request with the associated User. Erik Filip Hanik wrote: sessions are designed exactly for that, tracking users. tomcat stores them for you, all you need is to store your user object in the session. Filip -Original Message- From: Greg Speechley [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 3:54 PM To: Tomcat Users List Subject: RE: Tomcat 4.1.18 session objects Hi Yoav, I was wondering why using sessions is unreliable for tracking users who are logged in, getting last accessed time, etc? I would have thought that storing all the current sessions in a Vector (or some other data structure) with a User object (storing all their relevant info) bound to each session would work well. What alternative would you suggest because the situation described by R.C.Nougain sounds very similar to what we have where I work. Cheers Greg Speechley -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Wednesday, 26 February 2003 12:46 AM To: Tomcat Users List Subject: RE: Tomcat 4.1.18 session objects Howdy, Where can I find the changes list from Tomcat 4.0.x to Tomcat 4.1.x. Download any release of tomcat. Explode the distribution and you'll see a bunch of release notes files, one for each labeled release, detailing what's new in that release. | For each user session I store the reference| to the session in a Vector so that I | can tell what users are logged-in, last-accessed-time etc. It was working fine | in Tomcat 4.0.4. But in Tomcat4.1.18 (perhaps due to new specifications) session | objects are pooled (StandardSessionFactory) and hence the references I | am storing in the Vector become useless across the jsp page calls. I have a | thread that uses this Vector to clean up the users that are timedout but since | the session refs in my Vector are useless I can do nothing. Instead of | storing the refs if I store Session IDs then can I get ref to a session from | JSP Server so that I can get the attributes I have set in it. Please comment. Since you only asked for comments... There is no new specification regarding http servlet sessions from tomcat 4.0 to 4.1. It's still the servlet spec v2.3. Your design is vulnerable to any changes in the container session façade implementation. Note that the container is not required to provide you with a session list per se. I don't think using sessions to track who's logged in and last-access-time for resources is reliable. But if you want to do it that way, write an HttpSessionListener. It was created for these sort of session tracking things. Move your vector into that listener. Add a reference each time a session is created, remove it when a session is destroyed. Add whatever other functionality you need to the listener. Yoav Shapira Millennium ChemInformatics This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat 4.1.18 session objects
I realise that sessions are for user tracking, etc but I wanted to know why it was suggested that it was a bad idea to store them in a vector so that you would have access to a list of users who are currently logged in (have valid sessions). As I understand it Tomcat doesn't give you the ability to access such a list so you would have to store it yourself. Why would this be unreliable? Greg -Original Message- From: Filip Hanik [mailto:[EMAIL PROTECTED] Sent: Wednesday, 26 February 2003 10:29 AM To: Tomcat Users List Subject: RE: Tomcat 4.1.18 session objects sessions are designed exactly for that, tracking users. tomcat stores them for you, all you need is to store your user object in the session. Filip -Original Message- From: Greg Speechley [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 3:54 PM To: Tomcat Users List Subject: RE: Tomcat 4.1.18 session objects Hi Yoav, I was wondering why using sessions is unreliable for tracking users who are logged in, getting last accessed time, etc? I would have thought that storing all the current sessions in a Vector (or some other data structure) with a User object (storing all their relevant info) bound to each session would work well. What alternative would you suggest because the situation described by R.C.Nougain sounds very similar to what we have where I work. Cheers Greg Speechley -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Wednesday, 26 February 2003 12:46 AM To: Tomcat Users List Subject: RE: Tomcat 4.1.18 session objects Howdy, Where can I find the changes list from Tomcat 4.0.x to Tomcat 4.1.x. Download any release of tomcat. Explode the distribution and you'll see a bunch of release notes files, one for each labeled release, detailing what's new in that release. | For each user session I store the reference| to the session in a Vector so that I | can tell what users are logged-in, last-accessed-time etc. It was working fine | in Tomcat 4.0.4. But in Tomcat4.1.18 (perhaps due to new specifications) session | objects are pooled (StandardSessionFactory) and hence the references I | am storing in the Vector become useless across the jsp page calls. I have a | thread that uses this Vector to clean up the users that are timedout but since | the session refs in my Vector are useless I can do nothing. Instead of | storing the refs if I store Session IDs then can I get ref to a session from | JSP Server so that I can get the attributes I have set in it. Please comment. Since you only asked for comments... There is no new specification regarding http servlet sessions from tomcat 4.0 to 4.1. It's still the servlet spec v2.3. Your design is vulnerable to any changes in the container session façade implementation. Note that the container is not required to provide you with a session list per se. I don't think using sessions to track who's logged in and last-access-time for resources is reliable. But if you want to do it that way, write an HttpSessionListener. It was created for these sort of session tracking things. Move your vector into that listener. Add a reference each time a session is created, remove it when a session is destroyed. Add whatever other functionality you need to the listener. Yoav Shapira Millennium ChemInformatics This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat 4.1.18 session objects
you are right,it is totally doable. just remember to clean up yourself when the session expires. Filip -Original Message- From: Greg Speechley [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 4:09 PM To: Tomcat Users List Subject: RE: Tomcat 4.1.18 session objects I realise that sessions are for user tracking, etc but I wanted to know why it was suggested that it was a bad idea to store them in a vector so that you would have access to a list of users who are currently logged in (have valid sessions). As I understand it Tomcat doesn't give you the ability to access such a list so you would have to store it yourself. Why would this be unreliable? Greg -Original Message- From: Filip Hanik [mailto:[EMAIL PROTECTED] Sent: Wednesday, 26 February 2003 10:29 AM To: Tomcat Users List Subject: RE: Tomcat 4.1.18 session objects sessions are designed exactly for that, tracking users. tomcat stores them for you, all you need is to store your user object in the session. Filip -Original Message- From: Greg Speechley [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 3:54 PM To: Tomcat Users List Subject: RE: Tomcat 4.1.18 session objects Hi Yoav, I was wondering why using sessions is unreliable for tracking users who are logged in, getting last accessed time, etc? I would have thought that storing all the current sessions in a Vector (or some other data structure) with a User object (storing all their relevant info) bound to each session would work well. What alternative would you suggest because the situation described by R.C.Nougain sounds very similar to what we have where I work. Cheers Greg Speechley -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Wednesday, 26 February 2003 12:46 AM To: Tomcat Users List Subject: RE: Tomcat 4.1.18 session objects Howdy, Where can I find the changes list from Tomcat 4.0.x to Tomcat 4.1.x. Download any release of tomcat. Explode the distribution and you'll see a bunch of release notes files, one for each labeled release, detailing what's new in that release. | For each user session I store the reference| to the session in a Vector so that I | can tell what users are logged-in, last-accessed-time etc. It was working fine | in Tomcat 4.0.4. But in Tomcat4.1.18 (perhaps due to new specifications) session | objects are pooled (StandardSessionFactory) and hence the references I | am storing in the Vector become useless across the jsp page calls. I have a | thread that uses this Vector to clean up the users that are timedout but since | the session refs in my Vector are useless I can do nothing. Instead of | storing the refs if I store Session IDs then can I get ref to a session from | JSP Server so that I can get the attributes I have set in it. Please comment. Since you only asked for comments... There is no new specification regarding http servlet sessions from tomcat 4.0 to 4.1. It's still the servlet spec v2.3. Your design is vulnerable to any changes in the container session façade implementation. Note that the container is not required to provide you with a session list per se. I don't think using sessions to track who's logged in and last-access-time for resources is reliable. But if you want to do it that way, write an HttpSessionListener. It was created for these sort of session tracking things. Move your vector into that listener. Add a reference each time a session is created, remove it when a session is destroyed. Add whatever other functionality you need to the listener. Yoav Shapira Millennium ChemInformatics This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 4.1.18 session objects
From: Greg Speechley [EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 4:09 PM Subject: RE: Tomcat 4.1.18 session objects I realise that sessions are for user tracking, etc but I wanted to know why it was suggested that it was a bad idea to store them in a vector so that you would have access to a list of users who are currently logged in (have valid sessions). As I understand it Tomcat doesn't give you the ability to access such a list so you would have to store it yourself. Why would this be unreliable? It was probably removed or never added for similar reasons why you can't access the other servlets within a container. Conceptually, if you could sniff other sessions destined for other users/servlets/webapps, you might create a monsterous security hole in a shared container. Since there's no real way (according to spec) to bind sessions to a particular webapp, sessions end up be global to the container (so you have a globals session list vs a webapp specific session list). Now, if they WERE webapp specific sessions, no doubt folks would be screaming about wanting to make them global, so you really can't win. As someone else mentioned, you might try caching the sessions into a global map with a filter if you'd like to track users, but, particularly with session persistence and reloading, there's no guarantee that a session is the same session as the one you have stored in your list. Regards, Will Hartung ([EMAIL PROTECTED]) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 4.1.18 session objects
Since HttpSession is an interface, the object that you're planning on cacheing is a container-specific implementaion. In fact, there's no guarantee that you'll get the same instance on successive retrievals of the session. I'd say it's a bad idea to maintain strong references to container-specific classes, it may interfere with their normal lifecycle. Filip Hanik wrote: you are right,it is totally doable. just remember to clean up yourself when the session expires. Filip -Original Message- From: Greg Speechley [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 4:09 PM To: Tomcat Users List Subject: RE: Tomcat 4.1.18 session objects I realise that sessions are for user tracking, etc but I wanted to know why it was suggested that it was a bad idea to store them in a vector so that you would have access to a list of users who are currently logged in (have valid sessions). As I understand it Tomcat doesn't give you the ability to access such a list so you would have to store it yourself. Why would this be unreliable? Greg -Original Message- From: Filip Hanik [mailto:[EMAIL PROTECTED] Sent: Wednesday, 26 February 2003 10:29 AM To: Tomcat Users List Subject: RE: Tomcat 4.1.18 session objects sessions are designed exactly for that, tracking users. tomcat stores them for you, all you need is to store your user object in the session. Filip -Original Message- From: Greg Speechley [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 3:54 PM To: Tomcat Users List Subject: RE: Tomcat 4.1.18 session objects Hi Yoav, I was wondering why using sessions is unreliable for tracking users who are logged in, getting last accessed time, etc? I would have thought that storing all the current sessions in a Vector (or some other data structure) with a User object (storing all their relevant info) bound to each session would work well. What alternative would you suggest because the situation described by R.C.Nougain sounds very similar to what we have where I work. Cheers Greg Speechley -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Wednesday, 26 February 2003 12:46 AM To: Tomcat Users List Subject: RE: Tomcat 4.1.18 session objects Howdy, Where can I find the changes list from Tomcat 4.0.x to Tomcat 4.1.x. Download any release of tomcat. Explode the distribution and you'll see a bunch of release notes files, one for each labeled release, detailing what's new in that release. | For each user session I store the reference| to the session in a Vector so that I | can tell what users are logged-in, last-accessed-time etc. It was working fine | in Tomcat 4.0.4. But in Tomcat4.1.18 (perhaps due to new specifications) session | objects are pooled (StandardSessionFactory) and hence the references I | am storing in the Vector become useless across the jsp page calls. I have a | thread that uses this Vector to clean up the users that are timedout but since | the session refs in my Vector are useless I can do nothing. Instead of | storing the refs if I store Session IDs then can I get ref to a session from | JSP Server so that I can get the attributes I have set in it. Please comment. Since you only asked for comments... There is no new specification regarding http servlet sessions from tomcat 4.0 to 4.1. It's still the servlet spec v2.3. Your design is vulnerable to any changes in the container session façade implementation. Note that the container is not required to provide you with a session list per se. I don't think using sessions to track who's logged in and last-access-time for resources is reliable. But if you want to do it that way, write an HttpSessionListener. It was created for these sort of session tracking things. Move your vector into that listener. Add a reference each time a session is created, remove it when a session is destroyed. Add whatever other functionality you need to the listener. Yoav Shapira Millennium ChemInformatics This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
RE: Tomcat 4.1.18 session objects
Clean up would just be invalidating the session and removing it from the vector? Nothing else I am missing? Cheers Greg -Original Message- From: Filip Hanik [mailto:[EMAIL PROTECTED] Sent: Wednesday, 26 February 2003 10:44 AM To: Tomcat Users List Subject: RE: Tomcat 4.1.18 session objects you are right,it is totally doable. just remember to clean up yourself when the session expires. Filip -Original Message- From: Greg Speechley [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 4:09 PM To: Tomcat Users List Subject: RE: Tomcat 4.1.18 session objects I realise that sessions are for user tracking, etc but I wanted to know why it was suggested that it was a bad idea to store them in a vector so that you would have access to a list of users who are currently logged in (have valid sessions). As I understand it Tomcat doesn't give you the ability to access such a list so you would have to store it yourself. Why would this be unreliable? Greg -Original Message- From: Filip Hanik [mailto:[EMAIL PROTECTED] Sent: Wednesday, 26 February 2003 10:29 AM To: Tomcat Users List Subject: RE: Tomcat 4.1.18 session objects sessions are designed exactly for that, tracking users. tomcat stores them for you, all you need is to store your user object in the session. Filip -Original Message- From: Greg Speechley [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 3:54 PM To: Tomcat Users List Subject: RE: Tomcat 4.1.18 session objects Hi Yoav, I was wondering why using sessions is unreliable for tracking users who are logged in, getting last accessed time, etc? I would have thought that storing all the current sessions in a Vector (or some other data structure) with a User object (storing all their relevant info) bound to each session would work well. What alternative would you suggest because the situation described by R.C.Nougain sounds very similar to what we have where I work. Cheers Greg Speechley -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Wednesday, 26 February 2003 12:46 AM To: Tomcat Users List Subject: RE: Tomcat 4.1.18 session objects Howdy, Where can I find the changes list from Tomcat 4.0.x to Tomcat 4.1.x. Download any release of tomcat. Explode the distribution and you'll see a bunch of release notes files, one for each labeled release, detailing what's new in that release. | For each user session I store the reference| to the session in a Vector so that I | can tell what users are logged-in, last-accessed-time etc. It was working fine | in Tomcat 4.0.4. But in Tomcat4.1.18 (perhaps due to new specifications) session | objects are pooled (StandardSessionFactory) and hence the references I | am storing in the Vector become useless across the jsp page calls. I have a | thread that uses this Vector to clean up the users that are timedout but since | the session refs in my Vector are useless I can do nothing. Instead of | storing the refs if I store Session IDs then can I get ref to a session from | JSP Server so that I can get the attributes I have set in it. Please comment. Since you only asked for comments... There is no new specification regarding http servlet sessions from tomcat 4.0 to 4.1. It's still the servlet spec v2.3. Your design is vulnerable to any changes in the container session façade implementation. Note that the container is not required to provide you with a session list per se. I don't think using sessions to track who's logged in and last-access-time for resources is reliable. But if you want to do it that way, write an HttpSessionListener. It was created for these sort of session tracking things. Move your vector into that listener. Add a reference each time a session is created, remove it when a session is destroyed. Add whatever other functionality you need to the listener. Yoav Shapira Millennium ChemInformatics This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional
RE: Tomcat 4.1.18 session objects
yes, the session can get invalidated two ways, one, you invalidate it yourself, or the session expires Filip -Original Message- From: Greg Speechley [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 4:29 PM To: Tomcat Users List Subject: RE: Tomcat 4.1.18 session objects Clean up would just be invalidating the session and removing it from the vector? Nothing else I am missing? Cheers Greg -Original Message- From: Filip Hanik [mailto:[EMAIL PROTECTED] Sent: Wednesday, 26 February 2003 10:44 AM To: Tomcat Users List Subject: RE: Tomcat 4.1.18 session objects you are right,it is totally doable. just remember to clean up yourself when the session expires. Filip -Original Message- From: Greg Speechley [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 4:09 PM To: Tomcat Users List Subject: RE: Tomcat 4.1.18 session objects I realise that sessions are for user tracking, etc but I wanted to know why it was suggested that it was a bad idea to store them in a vector so that you would have access to a list of users who are currently logged in (have valid sessions). As I understand it Tomcat doesn't give you the ability to access such a list so you would have to store it yourself. Why would this be unreliable? Greg -Original Message- From: Filip Hanik [mailto:[EMAIL PROTECTED] Sent: Wednesday, 26 February 2003 10:29 AM To: Tomcat Users List Subject: RE: Tomcat 4.1.18 session objects sessions are designed exactly for that, tracking users. tomcat stores them for you, all you need is to store your user object in the session. Filip -Original Message- From: Greg Speechley [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 3:54 PM To: Tomcat Users List Subject: RE: Tomcat 4.1.18 session objects Hi Yoav, I was wondering why using sessions is unreliable for tracking users who are logged in, getting last accessed time, etc? I would have thought that storing all the current sessions in a Vector (or some other data structure) with a User object (storing all their relevant info) bound to each session would work well. What alternative would you suggest because the situation described by R.C.Nougain sounds very similar to what we have where I work. Cheers Greg Speechley -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Wednesday, 26 February 2003 12:46 AM To: Tomcat Users List Subject: RE: Tomcat 4.1.18 session objects Howdy, Where can I find the changes list from Tomcat 4.0.x to Tomcat 4.1.x. Download any release of tomcat. Explode the distribution and you'll see a bunch of release notes files, one for each labeled release, detailing what's new in that release. | For each user session I store the reference| to the session in a Vector so that I | can tell what users are logged-in, last-accessed-time etc. It was working fine | in Tomcat 4.0.4. But in Tomcat4.1.18 (perhaps due to new specifications) session | objects are pooled (StandardSessionFactory) and hence the references I | am storing in the Vector become useless across the jsp page calls. I have a | thread that uses this Vector to clean up the users that are timedout but since | the session refs in my Vector are useless I can do nothing. Instead of | storing the refs if I store Session IDs then can I get ref to a session from | JSP Server so that I can get the attributes I have set in it. Please comment. Since you only asked for comments... There is no new specification regarding http servlet sessions from tomcat 4.0 to 4.1. It's still the servlet spec v2.3. Your design is vulnerable to any changes in the container session façade implementation. Note that the container is not required to provide you with a session list per se. I don't think using sessions to track who's logged in and last-access-time for resources is reliable. But if you want to do it that way, write an HttpSessionListener. It was created for these sort of session tracking things. Move your vector into that listener. Add a reference each time a session is created, remove it when a session is destroyed. Add whatever other functionality you need to the listener. Yoav Shapira Millennium ChemInformatics This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
RE: Tomcat 4.1.18 session objects
On Tue, 25 Feb 2003, Filip Hanik wrote: Date: Tue, 25 Feb 2003 16:41:45 -0800 From: Filip Hanik [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: RE: Tomcat 4.1.18 session objects yes, the session can get invalidated two ways, one, you invalidate it yourself, or the session expires There is a third scenario you have to worry about sometimes, even with Tomcat -- if you're using something like PersistentSessionManager that swaps active (but idle) sessions out to disk and back in again, you can be guaranteed that the HttpSession instances for that same session id will be different before and after a swapout/swapin cycle. You can catch this case by implementing an HttpSessionActivation listener and nothing when passivation (swap out to disk) and activation (swap back in from disk) happened. A fourth case relates to the fact that Tomcat saves and restores sessions across a server or application restart -- this is supposed to also triggers the activation and passivation stuff, so the same solution should apply here as well. Filip Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
