aspose file tools*
The moose likes Servlets and the fly likes Session handling during logoff Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Session handling during logoff" Watch "Session handling during logoff" New topic
Author

Session handling during logoff

Nijeesh Balan
Ranch Hand

Joined: Oct 09, 2000
Posts: 116
Hi,
Is it possible to get the session object from session id?
This is because when the user closes the browser window without logging off the application. I'll have to prompt him that if he wants to terminate the existing session. So planning to hold the userid and the session id in a hashtable and check the values when he logs in. But I would like to know if it is possible to retrieve the session object from session id.. or else i'm left with no option other than storing the session object in the hashtable.
Please let me know your thoughts on this.
Thanks & Regards,
Nijeesh.


Thanks & Regards,<br />Nijeesh.
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12825
    
    5
I'm not real clear on what your problem is. If the servlet engine is storing a session for a particular user you can get it from the request. You can't get an arbitrary session from the servlet engine with the id - its a security feature.
If you are going to store user information outside of the normal servlet engine function you should NOT store the session object. Instead, create a class that can hold the user data you want to keep.
You should also look into the various session listeners.
Bill
Nijeesh Balan
Ranch Hand

Joined: Oct 09, 2000
Posts: 116
Hi William,
Sorry for not being clear... Ok, i will try to explain problem again in the form of steps
1. User logs into the system.
2. Does some processing.
3. Closes the browser window without clicking on the logout button(session is not invalidated).
4. The user's session will still be existing in the servlet engine until it automatically times out.
5. In the meantime, the user logs in again.
6. Now I want to prompt the user "Do you want to terminate the session that is already running?"
7. If he presses "Yes", then i want to invalidate the existing session.
How do i get the previous session?
So I planned to maintain a static hashtable with the login name as the key and the session id as the value.
But I don't know if i can retrieve the previous session from the session id. If I cannot, then i have to maintain "session object" itself as the value against the key, retrieve the session object and invalidate it. Is there any other option available?
Please let me know if this describes the situation.
Thanks & Regards,
Nijeesh.
Mark Stein
Ranch Hand

Joined: May 20, 2002
Posts: 75
It's just off the top of my head (and the morning coffee hasn't kicked in yet), but on login couldn't you just do a test to see if a session exists... if (session != null) {... Then based on the results offer the person a chance to invalidate the existing session?
One assumption I made is that your expecting the same person to log in with the same username/password. If it's a different person I'm assuming you'd invalidate the session anyway.
The one problem you'll have to watch out for, is if the person already has a valid session, they may not have to go to the login page to access pages where auth is needed.
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12825
    
    5
If the session has not been timed out by the servlet engine, you should automatically get the old one with req.getSession( false );
If it has been timed out that will return a null.
Alternately you can use
session = req.getSession( true );
and then test with
session.isNew()
Like I said - there is no way to retrieve an arbitrary session from the servlet engine using a sessionID - an early version of the API allowed this but then they realized it was a security hazard.
Also - please note what I said before. You should NOT try to keep the session object outside the normal mechanism - you will just get in trouble if you do. Reason being that keeping track of the session is handled by servlet engine, it will invalidate the session when it times out and your copy will be useless.
Bill
no more user
Ranch Hand

Joined: Aug 07, 2002
Posts: 39
if client close the browser and run other browser process, i always get a new session!!
there are something wrong here!! how can i share session object between several browser windows?
clear it, please..

----------------
Carlos Alexandre
Erik Pragt
Ranch Hand

Joined: Sep 08, 2001
Posts: 125
Well, I would suggest using a cookie, which will be placed on the client's machine when the user logs in. If the user log out in a normal way, the cookie will be removed. If the user closes the browser, the cookie won't be removed, so you'll know the user might has a session left, or you can create one where the user left off using the data stored inside the cookie.
I hope this helps, if not, please let me/us know.
Erik
Nijeesh Balan
Ranch Hand

Joined: Oct 09, 2000
Posts: 116
Hi All,
Thanks for your suggestions. But my problem is that the user need not necessarily login again from the same machine.
Option 1
Storing a cookie - will be client m/c dependent. Also will not prevent the problem of terminating the existing session.
Option 2
i think req.getSession(false) will return a session object(if the session is not timed out) only if the user attempts to login from the same machine. Please correct me if I am wrong.
Regarding, storing the session object outside the servlet engine - if the only threat(as per William) is "servlet engine will invalidate the session when it times out", then I will remove the session object from the hashtable in the Listener class(which implements HttpSessionBindingListener).
Please let me know your thoughts on this.
Thanks & Regards,
Nijeesh.
[ November 18, 2002: Message edited by: Nijeesh BH ]
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12825
    
    5
Your user is just going to have to sign in again if starting another session from another browser instance. The HttpSession api is only intended to maintain information for a short period within one session with a single browser instance. It makes no sense to try to bend it outside this usage.
Typically people use some sort of database to maintain information between sessions.
Bill
Nijeesh Balan
Ranch Hand

Joined: Oct 09, 2000
Posts: 116
Hi William,
I'm sorry i was not able to comprehend your latest post. Can you please make it more descriptive?
Also, I have edited my previous post(marked in bold) as I had made some unwitting errors.
Thanks & Regards,
Nijeesh.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Session handling during logoff