• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Session handling during logoff

 
Ranch Hand
Posts: 116
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
Is it possible to get the session object from session id?
This is because when the user closes the browser window without logging off the application. I'll have to prompt him that if he wants to terminate the existing session. So planning to hold the userid and the session id in a hashtable and check the values when he logs in. But I would like to know if it is possible to retrieve the session object from session id.. or else i'm left with no option other than storing the session object in the hashtable.
Please let me know your thoughts on this.
Thanks & Regards,
Nijeesh.
 
Author and all-around good cowpoke
Posts: 13078
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm not real clear on what your problem is. If the servlet engine is storing a session for a particular user you can get it from the request. You can't get an arbitrary session from the servlet engine with the id - its a security feature.
If you are going to store user information outside of the normal servlet engine function you should NOT store the session object. Instead, create a class that can hold the user data you want to keep.
You should also look into the various session listeners.
Bill
 
Nijeesh Balan
Ranch Hand
Posts: 116
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi William,
Sorry for not being clear... Ok, i will try to explain problem again in the form of steps
1. User logs into the system.
2. Does some processing.
3. Closes the browser window without clicking on the logout button(session is not invalidated).
4. The user's session will still be existing in the servlet engine until it automatically times out.
5. In the meantime, the user logs in again.
6. Now I want to prompt the user "Do you want to terminate the session that is already running?"
7. If he presses "Yes", then i want to invalidate the existing session.
How do i get the previous session?
So I planned to maintain a static hashtable with the login name as the key and the session id as the value.
But I don't know if i can retrieve the previous session from the session id. If I cannot, then i have to maintain "session object" itself as the value against the key, retrieve the session object and invalidate it. Is there any other option available?
Please let me know if this describes the situation.
Thanks & Regards,
Nijeesh.
 
Ranch Hand
Posts: 75
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It's just off the top of my head (and the morning coffee hasn't kicked in yet), but on login couldn't you just do a test to see if a session exists... if (session != null) {... Then based on the results offer the person a chance to invalidate the existing session?
One assumption I made is that your expecting the same person to log in with the same username/password. If it's a different person I'm assuming you'd invalidate the session anyway.
The one problem you'll have to watch out for, is if the person already has a valid session, they may not have to go to the login page to access pages where auth is needed.
 
William Brogden
Author and all-around good cowpoke
Posts: 13078
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If the session has not been timed out by the servlet engine, you should automatically get the old one with req.getSession( false );
If it has been timed out that will return a null.
Alternately you can use
session = req.getSession( true );
and then test with
session.isNew()
Like I said - there is no way to retrieve an arbitrary session from the servlet engine using a sessionID - an early version of the API allowed this but then they realized it was a security hazard.
Also - please note what I said before. You should NOT try to keep the session object outside the normal mechanism - you will just get in trouble if you do. Reason being that keeping track of the session is handled by servlet engine, it will invalidate the session when it times out and your copy will be useless.
Bill
 
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
if client close the browser and run other browser process, i always get a new session!!
there are something wrong here!! how can i share session object between several browser windows?
clear it, please..

----------------
Carlos Alexandre
 
Ranch Hand
Posts: 125
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Well, I would suggest using a cookie, which will be placed on the client's machine when the user logs in. If the user log out in a normal way, the cookie will be removed. If the user closes the browser, the cookie won't be removed, so you'll know the user might has a session left, or you can create one where the user left off using the data stored inside the cookie.
I hope this helps, if not, please let me/us know.
Erik
 
Nijeesh Balan
Ranch Hand
Posts: 116
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,
Thanks for your suggestions. But my problem is that the user need not necessarily login again from the same machine.
Option 1
Storing a cookie - will be client m/c dependent. Also will not prevent the problem of terminating the existing session.
Option 2
i think req.getSession(false) will return a session object(if the session is not timed out) only if the user attempts to login from the same machine. Please correct me if I am wrong.
Regarding, storing the session object outside the servlet engine - if the only threat(as per William) is "servlet engine will invalidate the session when it times out", then I will remove the session object from the hashtable in the Listener class(which implements HttpSessionBindingListener).
Please let me know your thoughts on this.
Thanks & Regards,
Nijeesh.
[ November 18, 2002: Message edited by: Nijeesh BH ]
 
William Brogden
Author and all-around good cowpoke
Posts: 13078
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Your user is just going to have to sign in again if starting another session from another browser instance. The HttpSession api is only intended to maintain information for a short period within one session with a single browser instance. It makes no sense to try to bend it outside this usage.
Typically people use some sort of database to maintain information between sessions.
Bill
 
Nijeesh Balan
Ranch Hand
Posts: 116
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi William,
I'm sorry i was not able to comprehend your latest post. Can you please make it more descriptive?
Also, I have edited my previous post(marked in bold) as I had made some unwitting errors.
Thanks & Regards,
Nijeesh.
 
reply
    Bookmark Topic Watch Topic
  • New Topic