Christopher Schultz wrote:
[...] lots of smart things which I duly note but omit here
Tomcat knows that it uses the session to store authentication
information, so Tomcat itself will create the session and add the cookie
to the response at this point.
| The user authenticates, the authentication is checked, and now by some
| mechanism the call is redirected to the originally-requested URL.
| But still according to the above, there is no session yet, because
| HttpServletRequest.getSession() has still not been called.
It has been called, just not by /your/ code at this point.
Aha ! So there can be hidden, I would even say occult, calls to
HttpServletRequest.getSession(), that the unsuspecting developer
wouldn't even know about !
Unless he happens to consult the Holy Source Code, or be a visitor to
this list and be thus enlightened.
Or is there another source of enlightenment about this, that I don't yet
know about ?
| (I also have a problem with the
| HttpServletRequest.isRequestedSessionIdValid() call, because I fail to
| see a case where the return value would be false. But I'll get to that
| one later, if I haven't exhausted everyone's patience by then.)
If you make a request to a servlet with a bugus session id, then this
method will return false.
> It could be generally bogus (wrong format,
> etc.) or the session could have expired. The requested session id could
> be different from the "current" session id, if an invalid session id was
> requested, and the servlet calls request.getSession(true). In that case,
> the requested and actual session ids will be different.
>
Ah but..
If I make a request with a bogus (or expired) session-id, then Tomcat
will never be able to "reconnect" the request with a valid existing session.
But , if I understand this right, if I make a request with an invalid
session-id (in the JSESSIONID cookie for instance), Tomcat will not
instantly throw out the call with a stack trace. It might sneakily let
the call proceed, until the servlet tries to do something with the
session which it thinks it has but doesn't. /Then/ it will throw the
servlet out.
Right ?
In other words, if I write a servlet which depends on the pre-existence
of a valid session, should I always check
HttpServletRequest.isRequestedSessionIdValid() first, or can I call
HttpServletRequest.getSession(false) and check for a null return value ?
Or can I call HttpServletRequest.getSession(true) and check if the
obtained session's id matches the request JSESSIONID a posteriori ?
Are these calls always equivalent, from the point of view of checking if
I have a pre-existing valid session matching the session-id of the cookie ?
André
P.S. No matter what the answers are, thank you much for your time
anyway. It has been a very informative exchange for me, filling up many
grey areas that I thought I approximately understood but did not really.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
