File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Session invalidation Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Session invalidation" Watch "Session invalidation" New topic

Session invalidation

Jose Esteban
Ranch Hand

Joined: Nov 28, 2004
Posts: 102
Can anybody tell if the following sequence of events on session invalidation is correct:

1) You call HttpSession.invalidate() or the session times out (at this point, a new request will not be able to see the session).

2) The sessionDestroyed() method is called on HttpSessionListeners.

3) The session is invalidated (at this point, all servlets using the session have exited the service method).

4) attributeRemoved() is called on HttpSessionAttributeListeners and valueUnbound() is called on HttpSessionBindingListeners (I don't know if there's an established order on these calls).

[ March 31, 2005: Message edited by: Jose Esteban ]
James Christian
Ranch Hand

Joined: Apr 04, 2005
Posts: 63
1) I agree. Once a session has been invalidated or timed-out requests can no longer see the session. Otherwise what is the point of invalidating the session. Bogus callers would be able to hijack invalidated sessions.
Jose Esteban
Ranch Hand

Joined: Nov 28, 2004
Posts: 102
Thanks for your answer.

I see you agree with step 1). Since you don't say anything about the rest of the sequence, I think you agree with it.
I agree. Here's the link:
subject: Session invalidation
It's not a secret anymore!