Philippe Bertramo wrote:
>
> My little opinion,
>
> if your servlets check for a new session creation,
> then if a users connect with a session bookmarked in the
> url or stored in history, they will trap that the session
> is newly created no ?
>
> --> Well actually I'm not sure, can someone confirm ?
>
> So you can redirect users for new sessions to a welcome/login page.
I think you are correct, but I'm not sure because I'm having trouble
understanding what you wrote. This is what I think you are saying: "If a
client transmits a session id for a session which has been invalidated
or timed-out, then the server will create a new session for the client,
and the method call isNew() of HttpSession will return true."
First, a browser does not send a session, it sends a session id.
Certainly, a browser could send a session id for a session that the
server has invalidated. However, the server should not bring an
invalidated session back to life. In fact, it probably couldn't anyway
because the session object has probably been released and the server
won't keep the reference to the session object. Thus, the server will
create a new session. To me, this seems to be implied by the spec, v2.3:
"7.2 Creating a Session
"Because HTTP is a request-response based protocol, a session is
considered to be
new until a client �joins� it. A client joins a session when
session tracking
information has been successfully returned to the server
indicating that a session
has been established. Until the client joins a session, it cannot
be assumed that
the next request from the client will be recognized as part of the
session.
"The session is considered to be �new� if either of the following
is true:
"· The client does not yet know about the session"
Even though the client passes a session id which was previously valid,
the session id no longer matches an existing session. Thus, the server
must create a new session for the client. Since the client does not know
about the new session, that session is new.
K Mukhar
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
