This week's book giveaway is in the Design forum.
We're giving away four copies of Design for the Mind and have Victor S. Yocco on-line!
See this thread for details.
Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Session invalidation

 
Jose Esteban
Ranch Hand
Posts: 102
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Can anybody tell if the following sequence of events on session invalidation is correct:

1) You call HttpSession.invalidate() or the session times out (at this point, a new request will not be able to see the session).

2) The sessionDestroyed() method is called on HttpSessionListeners.

3) The session is invalidated (at this point, all servlets using the session have exited the service method).

4) attributeRemoved() is called on HttpSessionAttributeListeners and valueUnbound() is called on HttpSessionBindingListeners (I don't know if there's an established order on these calls).

Cheers,
Jose
[ March 31, 2005: Message edited by: Jose Esteban ]
 
James Christian
Ranch Hand
Posts: 63
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1) I agree. Once a session has been invalidated or timed-out requests can no longer see the session. Otherwise what is the point of invalidating the session. Bogus callers would be able to hijack invalidated sessions.
 
Jose Esteban
Ranch Hand
Posts: 102
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for your answer.

I see you agree with step 1). Since you don't say anything about the rest of the sequence, I think you agree with it.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic