Re: HttpSession tracking

2024-03-22 Thread Christopher Schultz

Robert.

On 3/22/24 14:11, Robert Turner wrote:

Thanks for figuring it out -- I will keep that in mind when I go to split
our "mega session object" up as that will impact some of the decisions for
sure.

Yeah, I guess you end up with a "dummy object" on the session as a result
-- I guess we got lucky with ours -- our handlers on the session object
call out to a "singleton" for tracking, so we probably never really thought
too much about it. So if you have an object on the session already, it pays
to just extend it and call out to the "singleton" instead (like we have).


Or, more likely, whoever implemented it discovered that you *must* have 
a singleton for this kind of thing, and didn't just get lucky. :)



Some of the listener docs do often leave me wondering how exactly some of
them work (like who creates the object instance for this thing - like for
ServletContextListener).


The container does. It's in the spec :)

If you haven't read it, it's 100% worth reading and it's quite readable. 
It was written by real humans trying to get a job done and not lawyers. 
or whatever.



Although the one  you quoted does seem to be
"clear enough" at least to me (not sure if your comments were sarcastic or
not).


Nope. I meant "I either didn't read this, or ignored what it said" 
because there really is no confusion, there.



I'm not sure it's a good design though -- you would think session
listeners would be independent of the objects on the sessions. Hopefully
there was some logic behind the original design that isn't captured in the
code docs (well, I hope there was).


I can't know why the original design was the way that it was. Would be 
interesting to be able to have an "observer" listener that doesn't have 
to be put into each and every session? Possibly. But this isn't 
particularly "expensive" to implement using the existing interfaces and 
their existing semantics.


My guess is that sessionWillPassivate and sessionDidActivate are there 
so that caches, connections to other systems, etc. can be re-created 
after a session comes back into memory for things that aren't 
appropriate to be Serializable. Maybe that's not appropriate for *every* 
session and also if you put 10 caches into a session you just implement 
each of your 10 re-creation algorithms separately.


If you had one uber-listener, it would have to understand how to 
re-create all 10 of those caches and so the fine-grained notification 
system is actually more flexible.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: HttpSession tracking

2024-03-22 Thread Robert Turner
Thanks for figuring it out -- I will keep that in mind when I go to split
our "mega session object" up as that will impact some of the decisions for
sure.

Yeah, I guess you end up with a "dummy object" on the session as a result
-- I guess we got lucky with ours -- our handlers on the session object
call out to a "singleton" for tracking, so we probably never really thought
too much about it. So if you have an object on the session already, it pays
to just extend it and call out to the "singleton" instead (like we have).

Some of the listener docs do often leave me wondering how exactly some of
them work (like who creates the object instance for this thing - like for
ServletContextListener).  Although the one  you quoted does seem to be
"clear enough" at least to me (not sure if your comments were sarcastic or
not). I'm not sure it's a good design though -- you would think session
listeners would be independent of the objects on the sessions. Hopefully
there was some logic behind the original design that isn't captured in the
code docs (well, I hope there was).

On Fri, Mar 22, 2024 at 2:02 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> All,
>
> On 3/22/24 09:59, Christopher Schultz wrote:
> > All,
> >
> > On 3/22/24 09:33, Robert Turner wrote:
> >> On Fri, Mar 22, 2024 at 9:28 AM Christopher Schultz <
> >> ch...@christopherschultz.net> wrote:
> >>
> >>> Robert,
> >>>
> >>> On 3/21/24 15:31, Robert Turner wrote:
>  We receive the sessionWillPassivate and sessionDidActivate callbacks
>  on startup. Odd that you are not. That's how we achieve the same.
> >>> On 3/21/24 16:21, Robert Turner wrote:
>  Just to add a bit more information, our handler class, for better or
>  for
>  worse, implements the following interfaces all in one class:
> 
> implements HttpSessionBindingListener,
>  HttpSessionActivationListener,
>  HttpSessionIdListener, HttpSessionListener, ServletContextListener
> >>>
> >>> Hmm.
> >>>
> >>> I'm already using HttpSessionListener and HttpSessionActivationListener
> >>> and logging every event I receive.
> >>>
> >>> HttpSessionIdListener only lets you know when ids are changed, and I
> >>> actually don't care about those events. I added it, and see no change
> in
> >>> behavior.
> >>>
> >>> HttpSessionBindingListener shouldn't do anything, here, as it will only
> >>> be called when objects are added or removed (and it only *that
> object*).
> >>> During activation and passivation, I wouldn't expect anything to be
> >>> added or removed.
> >>>
> >>> ServletContextListener wouldn't do anything in and of itself, except
> >>> possibly get the listener started earlier. I added it and do not see
> any
> >>> change in behavior.
> >>>
> >>>
> >> Yeah, I wasn't really suggesting adding all those listener interfaces --
> >> more just saying that's what we did in case somehow it made a difference
> >> for you. Certainly you shouldn't have to add them to get it to work.
> >>
> >>
> >>
>  We also use that same class as our "session model" object that we
>  bind as
>  an attribute to the session itself (it's a bit of a mixed bag
> >>> historically
>  that I want to clean up).
> 
>  And in terms of registration, we do not have any annotations on the
> >>> class,
>  instead we register it in web.xml (in the application WAR file) using
> a
>  standard listener entry:
> 
>  
>    <>
>  
> 
>  Our web.xml is set at Servlet API version 3.0 (kind-of old), and we
> are
>  running against Tomcat 9.5 (and this worked on 8.5 and before as
> well).
> 
>  Not sure if that adds anything Chris that you haven't already looked
>  at.
> >>>
> >>> I believe mine is set up identically to yours at this point, except for
> >>> the HttpSessionBindingListener.
> >>>
>  I would really prefer a way to query the sessions from the app, but
>  as we
>  know, that's not part of the current Servlet specification, or any
>  extensions Tomcat currently provides.
> >>>
> >>> It wouldn't really be appropriate for Tomcat to provide any
> "extensions"
> >>> like this because it would make applications reliant on capabilities
> >>> that aren't standard. When companies do that, it's called "vendor
> >>> lock-in" and it's not a good look for ASF.
> >>>
> >>>
> >> Yeah, vendor lock-in isn't great -- and I wouldn't really suggest Tomcat
> >> doing that either; it would be better in the Servlet specification, but
> I
> >> doubt, for various reasons, it would get added.
> >>
> >> Your case is certainly odd -- I suppose you might have to resort to
> >> firing
> >> up a debugger and debug build and seeing what's going on in Tomcat...(at
> >> least you are more used to doing that on Tomcat than most of us).
> >
> > So... by went ahead and loaded-up this class with *everything* -
> > including putting the listener class instance into every session and I
> > do indeed get "session will passivate" and "ses

Re: HttpSession tracking

2024-03-22 Thread Christopher Schultz

All,

On 3/22/24 09:59, Christopher Schultz wrote:

All,

On 3/22/24 09:33, Robert Turner wrote:

On Fri, Mar 22, 2024 at 9:28 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:


Robert,

On 3/21/24 15:31, Robert Turner wrote:

We receive the sessionWillPassivate and sessionDidActivate callbacks
on startup. Odd that you are not. That's how we achieve the same.

On 3/21/24 16:21, Robert Turner wrote:
Just to add a bit more information, our handler class, for better or 
for

worse, implements the following interfaces all in one class:

   implements HttpSessionBindingListener, 
HttpSessionActivationListener,

HttpSessionIdListener, HttpSessionListener, ServletContextListener


Hmm.

I'm already using HttpSessionListener and HttpSessionActivationListener
and logging every event I receive.

HttpSessionIdListener only lets you know when ids are changed, and I
actually don't care about those events. I added it, and see no change in
behavior.

HttpSessionBindingListener shouldn't do anything, here, as it will only
be called when objects are added or removed (and it only *that object*).
During activation and passivation, I wouldn't expect anything to be
added or removed.

ServletContextListener wouldn't do anything in and of itself, except
possibly get the listener started earlier. I added it and do not see any
change in behavior.



Yeah, I wasn't really suggesting adding all those listener interfaces --
more just saying that's what we did in case somehow it made a difference
for you. Certainly you shouldn't have to add them to get it to work.



We also use that same class as our "session model" object that we 
bind as

an attribute to the session itself (it's a bit of a mixed bag

historically

that I want to clean up).

And in terms of registration, we do not have any annotations on the

class,

instead we register it in web.xml (in the application WAR file) using a
standard listener entry:


  <>


Our web.xml is set at Servlet API version 3.0 (kind-of old), and we are
running against Tomcat 9.5 (and this worked on 8.5 and before as well).

Not sure if that adds anything Chris that you haven't already looked 
at.


I believe mine is set up identically to yours at this point, except for
the HttpSessionBindingListener.

I would really prefer a way to query the sessions from the app, but 
as we

know, that's not part of the current Servlet specification, or any
extensions Tomcat currently provides.


It wouldn't really be appropriate for Tomcat to provide any "extensions"
like this because it would make applications reliant on capabilities
that aren't standard. When companies do that, it's called "vendor
lock-in" and it's not a good look for ASF.



Yeah, vendor lock-in isn't great -- and I wouldn't really suggest Tomcat
doing that either; it would be better in the Servlet specification, but I
doubt, for various reasons, it would get added.

Your case is certainly odd -- I suppose you might have to resort to 
firing

up a debugger and debug build and seeing what's going on in Tomcat...(at
least you are more used to doing that on Tomcat than most of us).


So... by went ahead and loaded-up this class with *everything* - 
including putting the listener class instance into every session and I 
do indeed get "session will passivate" and "session has activated" log 
messgaes.


So I started removing things and it kept working until ... it didn't.

I'm trying to track-down exactly what difference makes it work, but it 
doesn't many any sense to me.


The StandardManager code looks like this:

   if (log.isTraceEnabled()) {
   log.trace("Loading " + n + " persisted sessions");
   }
   for (int i = 0; i < n; i++) {
   StandardSession session = getNewSession();
   session.readObjectData(ois);
   session.setManager(this);
   sessions.put(session.getIdInternal(), session);
   session.activate();
   if (!session.isValidInternal()) {
   // If session is already invalid,
   // expire session to prevent memory leak.
   session.setValid(true);
   session.expire();
   }
   sessionCounter++;
   }

and StandardSession.activate looks like this:

     public void activate() {

     // Initialize access count
     if (ACTIVITY_CHECK) {
     accessCount = new AtomicInteger();
     }

     // Notify interested session event listeners
     fireSessionEvent(SESSION_ACTIVATED_EVENT, null);

     // Notify ActivationListeners
     HttpSessionEvent event = null;
     String keys[] = keys();
     for (String key : keys) {
     Object attribute = attributes.get(key);
     if (attribute instanceof HttpSessionActivationListener) {
     if (event == null) {
     event = new HttpSessionEvent(getSession());
     }
     try {
     ((HttpSessionActivationListener) 
attribute).sessionDidActivate(event);

     } catch (Throwable t

Re: HttpSession tracking

2024-03-22 Thread Christopher Schultz

All,

On 3/22/24 09:33, Robert Turner wrote:

On Fri, Mar 22, 2024 at 9:28 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:


Robert,

On 3/21/24 15:31, Robert Turner wrote:

We receive the sessionWillPassivate and sessionDidActivate callbacks
on startup. Odd that you are not. That's how we achieve the same.

On 3/21/24 16:21, Robert Turner wrote:

Just to add a bit more information, our handler class, for better or for
worse, implements the following interfaces all in one class:

   implements HttpSessionBindingListener, HttpSessionActivationListener,
HttpSessionIdListener, HttpSessionListener, ServletContextListener


Hmm.

I'm already using HttpSessionListener and HttpSessionActivationListener
and logging every event I receive.

HttpSessionIdListener only lets you know when ids are changed, and I
actually don't care about those events. I added it, and see no change in
behavior.

HttpSessionBindingListener shouldn't do anything, here, as it will only
be called when objects are added or removed (and it only *that object*).
During activation and passivation, I wouldn't expect anything to be
added or removed.

ServletContextListener wouldn't do anything in and of itself, except
possibly get the listener started earlier. I added it and do not see any
change in behavior.



Yeah, I wasn't really suggesting adding all those listener interfaces --
more just saying that's what we did in case somehow it made a difference
for you. Certainly you shouldn't have to add them to get it to work.




We also use that same class as our "session model" object that we bind as
an attribute to the session itself (it's a bit of a mixed bag

historically

that I want to clean up).

And in terms of registration, we do not have any annotations on the

class,

instead we register it in web.xml (in the application WAR file) using a
standard listener entry:


  <>


Our web.xml is set at Servlet API version 3.0 (kind-of old), and we are
running against Tomcat 9.5 (and this worked on 8.5 and before as well).

Not sure if that adds anything Chris that you haven't already looked at.


I believe mine is set up identically to yours at this point, except for
the HttpSessionBindingListener.


I would really prefer a way to query the sessions from the app, but as we
know, that's not part of the current Servlet specification, or any
extensions Tomcat currently provides.


It wouldn't really be appropriate for Tomcat to provide any "extensions"
like this because it would make applications reliant on capabilities
that aren't standard. When companies do that, it's called "vendor
lock-in" and it's not a good look for ASF.



Yeah, vendor lock-in isn't great -- and I wouldn't really suggest Tomcat
doing that either; it would be better in the Servlet specification, but I
doubt, for various reasons, it would get added.

Your case is certainly odd -- I suppose you might have to resort to firing
up a debugger and debug build and seeing what's going on in Tomcat...(at
least you are more used to doing that on Tomcat than most of us).


So... by went ahead and loaded-up this class with *everything* - 
including putting the listener class instance into every session and I 
do indeed get "session will passivate" and "session has activated" log 
messgaes.


So I started removing things and it kept working until ... it didn't.

I'm trying to track-down exactly what difference makes it work, but it 
doesn't many any sense to me.


The StandardManager code looks like this:

  if (log.isTraceEnabled()) {
  log.trace("Loading " + n + " persisted sessions");
  }
  for (int i = 0; i < n; i++) {
  StandardSession session = getNewSession();
  session.readObjectData(ois);
  session.setManager(this);
  sessions.put(session.getIdInternal(), session);
  session.activate();
  if (!session.isValidInternal()) {
  // If session is already invalid,
  // expire session to prevent memory leak.
  session.setValid(true);
  session.expire();
  }
  sessionCounter++;
  }

and StandardSession.activate looks like this:

public void activate() {

// Initialize access count
if (ACTIVITY_CHECK) {
accessCount = new AtomicInteger();
}

// Notify interested session event listeners
fireSessionEvent(SESSION_ACTIVATED_EVENT, null);

// Notify ActivationListeners
HttpSessionEvent event = null;
String keys[] = keys();
for (String key : keys) {
Object attribute = attributes.get(key);
if (attribute instanceof HttpSessionActivationListener) {
if (event == null) {
event = new HttpSessionEvent(getSession());
}
try {
((HttpSessionActivationListener) 
attribute).sessionDidActivate(event);

} catch (Throwable t) {
ExceptionUtils.handleThrowable(t);

manager.getContext().getLogger().err

Re: HttpSession tracking

2024-03-22 Thread Robert Turner
On Fri, Mar 22, 2024 at 9:28 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Robert,
>
> On 3/21/24 15:31, Robert Turner wrote:
> > We receive the sessionWillPassivate and sessionDidActivate callbacks
> > on startup. Odd that you are not. That's how we achieve the same.
> On 3/21/24 16:21, Robert Turner wrote:
> > Just to add a bit more information, our handler class, for better or for
> > worse, implements the following interfaces all in one class:
> >
> >   implements HttpSessionBindingListener, HttpSessionActivationListener,
> > HttpSessionIdListener, HttpSessionListener, ServletContextListener
>
> Hmm.
>
> I'm already using HttpSessionListener and HttpSessionActivationListener
> and logging every event I receive.
>
> HttpSessionIdListener only lets you know when ids are changed, and I
> actually don't care about those events. I added it, and see no change in
> behavior.
>
> HttpSessionBindingListener shouldn't do anything, here, as it will only
> be called when objects are added or removed (and it only *that object*).
> During activation and passivation, I wouldn't expect anything to be
> added or removed.
>
> ServletContextListener wouldn't do anything in and of itself, except
> possibly get the listener started earlier. I added it and do not see any
> change in behavior.
>
>
Yeah, I wasn't really suggesting adding all those listener interfaces --
more just saying that's what we did in case somehow it made a difference
for you. Certainly you shouldn't have to add them to get it to work.



> > We also use that same class as our "session model" object that we bind as
> > an attribute to the session itself (it's a bit of a mixed bag
> historically
> > that I want to clean up).
> >
> > And in terms of registration, we do not have any annotations on the
> class,
> > instead we register it in web.xml (in the application WAR file) using a
> > standard listener entry:
> >
> > 
> >  <>
> > 
> >
> > Our web.xml is set at Servlet API version 3.0 (kind-of old), and we are
> > running against Tomcat 9.5 (and this worked on 8.5 and before as well).
> >
> > Not sure if that adds anything Chris that you haven't already looked at.
>
> I believe mine is set up identically to yours at this point, except for
> the HttpSessionBindingListener.
>
> > I would really prefer a way to query the sessions from the app, but as we
> > know, that's not part of the current Servlet specification, or any
> > extensions Tomcat currently provides.
>
> It wouldn't really be appropriate for Tomcat to provide any "extensions"
> like this because it would make applications reliant on capabilities
> that aren't standard. When companies do that, it's called "vendor
> lock-in" and it's not a good look for ASF.
>
>
Yeah, vendor lock-in isn't great -- and I wouldn't really suggest Tomcat
doing that either; it would be better in the Servlet specification, but I
doubt, for various reasons, it would get added.

Your case is certainly odd -- I suppose you might have to resort to firing
up a debugger and debug build and seeing what's going on in Tomcat...(at
least you are more used to doing that on Tomcat than most of us).

>
>


Re: HttpSession tracking

2024-03-22 Thread Christopher Schultz

Robert,

On 3/21/24 15:31, Robert Turner wrote:

We receive the sessionWillPassivate and sessionDidActivate callbacks
on startup. Odd that you are not. That's how we achieve the same.

On 3/21/24 16:21, Robert Turner wrote:

Just to add a bit more information, our handler class, for better or for
worse, implements the following interfaces all in one class:

  implements HttpSessionBindingListener, HttpSessionActivationListener,
HttpSessionIdListener, HttpSessionListener, ServletContextListener


Hmm.

I'm already using HttpSessionListener and HttpSessionActivationListener 
and logging every event I receive.


HttpSessionIdListener only lets you know when ids are changed, and I 
actually don't care about those events. I added it, and see no change in 
behavior.


HttpSessionBindingListener shouldn't do anything, here, as it will only 
be called when objects are added or removed (and it only *that object*). 
During activation and passivation, I wouldn't expect anything to be 
added or removed.


ServletContextListener wouldn't do anything in and of itself, except 
possibly get the listener started earlier. I added it and do not see any 
change in behavior.



We also use that same class as our "session model" object that we bind as
an attribute to the session itself (it's a bit of a mixed bag historically
that I want to clean up).

And in terms of registration, we do not have any annotations on the class,
instead we register it in web.xml (in the application WAR file) using a
standard listener entry:


 <>


Our web.xml is set at Servlet API version 3.0 (kind-of old), and we are
running against Tomcat 9.5 (and this worked on 8.5 and before as well).

Not sure if that adds anything Chris that you haven't already looked at.


I believe mine is set up identically to yours at this point, except for 
the HttpSessionBindingListener.



I would really prefer a way to query the sessions from the app, but as we
know, that's not part of the current Servlet specification, or any
extensions Tomcat currently provides.


It wouldn't really be appropriate for Tomcat to provide any "extensions" 
like this because it would make applications reliant on capabilities 
that aren't standard. When companies do that, it's called "vendor 
lock-in" and it's not a good look for ASF.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: HttpSession tracking

2024-03-21 Thread Robert Turner
Just to add a bit more information, our handler class, for better or for
worse, implements the following interfaces all in one class:

 implements HttpSessionBindingListener, HttpSessionActivationListener,
HttpSessionIdListener, HttpSessionListener, ServletContextListener

We also use that same class as our "session model" object that we bind as
an attribute to the session itself (it's a bit of a mixed bag historically
that I want to clean up).

And in terms of registration, we do not have any annotations on the class,
instead we register it in web.xml (in the application WAR file) using a
standard listener entry:


<>


Our web.xml is set at Servlet API version 3.0 (kind-of old), and we are
running against Tomcat 9.5 (and this worked on 8.5 and before as well).

Not sure if that adds anything Chris that you haven't already looked at.

I would really prefer a way to query the sessions from the app, but as we
know, that's not part of the current Servlet specification, or any
extensions Tomcat currently provides.

Robert



On Thu, Mar 21, 2024 at 3:31 PM Robert Turner  wrote:

> We receive the sessionWillPassivate and sessionDidActivate callbacks on
> startup. Odd that you are not. That's how we achieve the same.
>
> On Thu, Mar 21, 2024 at 3:25 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
>> All,
>>
>> After having written a solution using JMX to do something like this, I'd
>> like to make it cleaner and I'm not sure it's entirely possible using
>> just Servlet APIs.
>>
>> I'd like to be able to track every HttpSession for the application.
>>
>> for admin purposes, I'd like to be able to analyze:
>>
>> 1. The total number of sessions
>>
>> 2. The number of sessions which represent a logged-in user vs a
>> crawler-session or someone who visited the home-page and got a session
>> but never logged-in
>>
>> 3. Checking-out some specific roles of those logged-in users e.g.
>> end-user, staff, admin
>>
>> 4. Be able to kill a session at will. For example "chris is already
>> logged-in, kill his old session and let the new login remain"
>>
>> I started with the obvious HttpSessionListener +
>> HttpSessionActivationListener, but I tried this experiment and it didn't
>> turn out how I expected:
>>
>> 1. Start the application and hit the front page
>>
>> -> I get a call to HttpSessionListener.sessionCreated (expected)
>>
>> 2. Login
>>
>> 3. Logout
>>
>> -> I get a call to HttpSessionListener.sessionDestroyed (expected)
>> -> I get a call to HttpSessionListener.sessionCreated (expected)
>> (this second one happens because our home-page creates a session)
>>
>> 4. Login again
>>
>> 5. Stop Tomcat
>>
>> -> No calls to anything I can see
>>
>> 6. Start Tomcat
>>
>> -> No calls to anything I can see
>>
>> 7. Access a protected page
>>
>> -> Access is allowed; I'm still logged-in.
>>
>> When Tomcat shuts-down, it's saving the sessions using local
>> persistence[1]. When the application comes back up, all those sessions
>> are restored from the disk.
>>
>> When my HttpSeessionListener starts, it's empty and doesn't know about
>> any sessions. Tomcat doesn't notify it that any sessions are coming from
>> that storage.
>>
>> I would have expected calls to
>> HttpSessionActivationListener.sessionWillPassivate and
>> HttpSessionActivationListener.sessionDidActivate.
>>
>> Do I have unrealistic expectations? Is there a way to capture these
>> events so my in-memory session-watcher/manager is able to have an
>> accurate view of what Tomcat can see?
>>
>> Thanks,
>> -chris
>>
>> [1]
>>
>> https://tomcat.apache.org/tomcat-8.5-doc/config/manager.html#Persistence_Across_Restarts
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>


Re: HttpSession tracking

2024-03-21 Thread Robert Turner
We receive the sessionWillPassivate and sessionDidActivate callbacks on
startup. Odd that you are not. That's how we achieve the same.

On Thu, Mar 21, 2024 at 3:25 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> All,
>
> After having written a solution using JMX to do something like this, I'd
> like to make it cleaner and I'm not sure it's entirely possible using
> just Servlet APIs.
>
> I'd like to be able to track every HttpSession for the application.
>
> for admin purposes, I'd like to be able to analyze:
>
> 1. The total number of sessions
>
> 2. The number of sessions which represent a logged-in user vs a
> crawler-session or someone who visited the home-page and got a session
> but never logged-in
>
> 3. Checking-out some specific roles of those logged-in users e.g.
> end-user, staff, admin
>
> 4. Be able to kill a session at will. For example "chris is already
> logged-in, kill his old session and let the new login remain"
>
> I started with the obvious HttpSessionListener +
> HttpSessionActivationListener, but I tried this experiment and it didn't
> turn out how I expected:
>
> 1. Start the application and hit the front page
>
> -> I get a call to HttpSessionListener.sessionCreated (expected)
>
> 2. Login
>
> 3. Logout
>
> -> I get a call to HttpSessionListener.sessionDestroyed (expected)
> -> I get a call to HttpSessionListener.sessionCreated (expected)
> (this second one happens because our home-page creates a session)
>
> 4. Login again
>
> 5. Stop Tomcat
>
> -> No calls to anything I can see
>
> 6. Start Tomcat
>
> -> No calls to anything I can see
>
> 7. Access a protected page
>
> -> Access is allowed; I'm still logged-in.
>
> When Tomcat shuts-down, it's saving the sessions using local
> persistence[1]. When the application comes back up, all those sessions
> are restored from the disk.
>
> When my HttpSeessionListener starts, it's empty and doesn't know about
> any sessions. Tomcat doesn't notify it that any sessions are coming from
> that storage.
>
> I would have expected calls to
> HttpSessionActivationListener.sessionWillPassivate and
> HttpSessionActivationListener.sessionDidActivate.
>
> Do I have unrealistic expectations? Is there a way to capture these
> events so my in-memory session-watcher/manager is able to have an
> accurate view of what Tomcat can see?
>
> Thanks,
> -chris
>
> [1]
>
> https://tomcat.apache.org/tomcat-8.5-doc/config/manager.html#Persistence_Across_Restarts
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>