Trying another approach - HttpSessionListener Re: cleaning up sessions ...

[Mufaddal Khumri]

I am trying to implement the HttpSessionListener (the same class 
implements ServletContextListener. The code for which is below.

1.  I open a browser window , use MyApp after logging in.
2. I open the tomcat manager and reload my webapp. I go to the console 
at this point and see the message - "Session is already invalid."
3. I go to my window in step 1. and click on a link to go to a 
particular .jsp page. I get a blank window. I check the session 
attributes at this point and my session attribute USER_AUTHORIZED 
exists and is true.

step 2 s result conflicts with step 3s result. Invalidating the session 
does not propagate to the client ???????  What am i doing wrong ?

	public void contextDestroyed(ServletContextEvent sce)
	{
		// Destroy sessions.
		if(sessions != null)
		{
			Iterator i = sessions.iterator();
		
			while (i.hasNext())
			{
				HttpSession s = (HttpSession)i.next();
	
	            try
	            {
		            if(s != null && s.getAttribute("USER_AUTHORISED") != null)
		            {
		            	System.out.println("Invalidating session id = " + 
s.getId());
		            	s.invalidate();
		            }
	            }
	            catch(IllegalStateException ex)
	            {
	            	System.out.println("Session is already invalid.");
	            }
			}
		}
		// End Destroy sessions.
	}

        public void sessionCreated(HttpSessionEvent event)
        {
                if(sessions == null)
                        sessions = new HashSet();
                        
                sessions.add(event.getSession());
        }
        
        public void sessionDestroyed(HttpSessionEvent event)
        {
                if(sessions != null)
                {
                        sessions.remove(event.getSession());
                }
        }
On Wednesday, September 17, 2003, at 02:08  PM, Mufaddal Khumri wrote:

To test I did the following:

1. started tomcat.
2. started a browser, logged into MyApp and used it.
3. stopped tomcat and restarted tomcat . (kept the browser window 
open).
4. went back to my browser window and tried to continue using my MyApp 
by clicking on one of the links to a jsp page. The browser showed me a 
blank window -
       AT THIS POINT I checked the session attribute and it was still 
existing. My code that redirects the user to the login page checks to 
see if this attribute is not there or is false. Since its present and 
is true it does not redirect the user. The only way i can redirect the 
user to the login page is by invalidating the session he or she is 
using . For this i made the change to the server.xml.

Any ideas why this isnt working ?

On Thursday, September 18, 2003, at 02:12  AM, Mike Curwen wrote:

You are doing nothing wrong... Tomcat will persist sessions between
restarts.
To check your code works correctly, don't restart Tomcat... close your
browser window and start a new instance of the browser (or let the
session time out in a single browser).

-----Original Message-----
From: Mufaddal Khumri [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 17, 2003 2:53 AM
To: Tomcat Users List
Cc: [EMAIL PROTECTED]
Subject: Re: cleaning up sessions ...
Exactly. I have a session attribute in my session that i set
to true .
and if that session attribute is not present or is false i redirect
them to the authentication page.
I did the following to my server.xml :

<Manager className="org.apache.catalina.session.PersistentManager"
               debug="0"
               saveOnRestart="false"
               maxActiveSessions="-1"
               minIdleSwap="-1"
               maxIdleSwap="-1"
               maxIdleBackup="-1">
                 <Store
className="org.apache.catalina.session.FileStore"/>
  </Manager>
Now  i go to the tomcat manager and reload my webapp . I am
navigating
the webapp in a browser when this happens (ie i am currently a user
using a valid session ) .. after the webapp reloads ... i continue
using the webapp by clicking on say a link ... which takes me to some
other jsp page ... i do a check on top of this jsp page for this
"attribute" ... and it still persists . This is what threw me off ..
and i could not understand where i was doing what wrong ...
Any help appreciated

Thanks.

On Thursday, September 18, 2003, at 01:19  AM, Shapira, Yoav wrote:

Howdy,

all pages i do a checkAuthetication .. how do i check if
the session
is
active or not ? .. so that i can detect that and redirect
them to the
Hmm... I would do this using attributes.  All attributes
are unbound
when the session is invalidated.  So add an attribute to
the session
when you authenticate people, and check for that attribute in your
pages.  If it's not present, redirect them to the
authentication page.
Yoav Shapira



This e-mail, including any attachments, is a confidential business
communication, and may contain information that is confidential,
proprietary and/or privileged.  This e-mail is intended
only for the
individual(s) to whom it is addressed, and may not be
saved, copied,
printed, disclosed or used by anyone else.  If you are not the(an)
intended recipient, please immediately delete this e-mail from your
computer system and notify the sender.  Thank you.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]