DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=28709>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=28709 javax.servlet.http.HttpServletRequest.isRequestedSessionIdValid() returns true for an invalidated session! ------- Additional Comments From [EMAIL PROTECTED] 2004-05-26 17:10 ------- The Servlet Specification states (SRV.7.3) that the session is withint the scope of the servlet context and cannot be shared. Accordingly I don't think the semantics of invalidation and the isRequestedSessionIdValid call are clear when doing cross-context includes. Looking at the code, it should be fine. From CoyoteRequest: /** * Return <code>true</code> if the session identifier included in this * request identifies a valid session. */ public boolean isRequestedSessionIdValid() { if (requestedSessionId == null) return (false); if (context == null) return (false); Manager manager = context.getManager(); if (manager == null) return (false); Session session = null; try { session = manager.findSession(requestedSessionId); } catch (IOException e) { session = null; } if ((session != null) && session.isValid()) return (true); else return (false); } StandardSession#invalidate calls StandardSession#expire: public void expire(boolean notify) { // Mark this session as "being expired" if needed if (expiring) return; synchronized (this) { if (manager == null) return; expiring = true; // Notify interested application event listeners // FIXME - Assumes we call listeners in reverse order Context context = (Context) manager.getContainer(); Object listeners[] = context.getApplicationLifecycleListeners(); if (notify && (listeners != null)) { HttpSessionEvent event = new HttpSessionEvent(getSession()); for (int i = 0; i < listeners.length; i++) { int j = (listeners.length - 1) - i; if (!(listeners[j] instanceof HttpSessionListener)) continue; HttpSessionListener listener = (HttpSessionListener) listeners[j]; try { fireContainerEvent(context, "beforeSessionDestroyed", listener); listener.sessionDestroyed(event); fireContainerEvent(context, "afterSessionDestroyed", listener); } catch (Throwable t) { try { fireContainerEvent(context, "afterSessionDestroyed", listener); } catch (Exception e) { ; } log(sm.getString("standardSession.sessionEvent"), t); } } } accessCount = 0; setValid(false); // Remove this session from our manager's active sessions if (manager != null) manager.remove(this); // Notify interested session event listeners if (notify) { fireSessionEvent(Session.SESSION_DESTROYED_EVENT, null); } // We have completed expire of this session expiring = false; // Unbind any objects associated with this session String keys[] = keys(); for (int i = 0; i < keys.length; i++) removeAttributeInternal(keys[i], notify); } } Because of the Manager#remove call, the findSession call in CoyoteRequest will return null, and the isRequestedSessionIdValid method will return false. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
