Re: session.invalidate not working

Wed, 18 Jul 2012 13:29:55 -0700 


I looked through some of my code and came across the following...

            // invalidate the old session
            data.getRequest().getSession().invalidate();

            // use the sessionid from a newly created session
            sessionId = data.getSession().getId();


In another instance I am also using a slightly different variation

            try {

                        if (data.getResponse().isCommitted() == false) {
                            data.getResponse().sendRedirect(destination);
                        }
// invalidate this session since we are not going to use it anyways 
                        data.getRequest().getSession().invalidate();

                        return false;

                    } catch (IOException ex) {}

I have not had problems with either of these

However, I am currently running Tomcat 6.0...
Thinking years back... one thing I did run into with this had to do with my setup in tomcat.... 


Within conf/server.xml (on my dev server) I use

<Context path="/webapp" docBase="webapp"  crossContext="true">

Within WEB-INF/web.xml I use

<servlet>
<servlet-name>
           webapp
</servlet-name>
<servlet-class>
            org.apache.turbine.Turbine
</servlet-class>

...

</servlet>

<servlet-mapping>
<servlet-name>
            webapp
</servlet-name>
<url-pattern>
            /something/*
</url-pattern>
</servlet-mapping>




On 7/18/2012 12:58 PM, Asha N wrote:

Hello,

We are using Turbine with Velocity, Javascript and Java and Tomcat 7 as our
server. I have a use case where the session needs to be invalidated after a
user logs in. The things that I tried are:
* Tomcat7 by default has it turned on, but it does not work. We have another
system with Spring instead. That generates a new jsessionid without any
issues.
* I tried the following code just before the user gets authenticated via:
TurbineSecurity.getAuthenticatedUser(username, password);
my code:
              HttpSession session = data.getRequest().getSession(false);
                if (session!=null&&  !session.isNew()) {
                    session.invalidate();
                }
                        
                data.getRequest().getSession(true);

this does not work. I still get the same sessionid.
I also tried:

data.getSession().invalidate(), but that too does not seem to work.

Any pointers or inputs are greatly appreciated.

thanks in advance,

Asha
                


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to