permaculture playing cards*
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Session invalidation Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Session invalidation" Watch "Session invalidation" New topic
Author

Session invalidation

Jose Esteban
Ranch Hand

Joined: Nov 28, 2004
Posts: 102
Can anybody tell if the following sequence of events on session invalidation is correct:

1) You call HttpSession.invalidate() or the session times out (at this point, a new request will not be able to see the session).

2) The sessionDestroyed() method is called on HttpSessionListeners.

3) The session is invalidated (at this point, all servlets using the session have exited the service method).

4) attributeRemoved() is called on HttpSessionAttributeListeners and valueUnbound() is called on HttpSessionBindingListeners (I don't know if there's an established order on these calls).

Cheers,
Jose
[ March 31, 2005: Message edited by: Jose Esteban ]
James Christian
Ranch Hand

Joined: Apr 04, 2005
Posts: 63
1) I agree. Once a session has been invalidated or timed-out requests can no longer see the session. Otherwise what is the point of invalidating the session. Bogus callers would be able to hijack invalidated sessions.
Jose Esteban
Ranch Hand

Joined: Nov 28, 2004
Posts: 102
Thanks for your answer.

I see you agree with step 1). Since you don't say anything about the rest of the sequence, I think you agree with it.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Session invalidation
 
Similar Threads
How to track all sessions?
Immediate help please . Not getting DB connection !!!!!!
Problems with setMaxInactiveInterval()
Sessions
session variable