I thought I know well about session in specific and web application in general, but I got weird error with my app running on JRun 4. So please answer my question below. Web Application Scenerio: There are five pages in the simplified application: home.htm, account.jsp, account_detail.jsp, login.htm, logout.jsp. A User first requests the home.htm page which contains a link to account.jsp. In web.xml, account.jsp and account_detail.jsp are configured to be protected while home.htm is not. So when the user clicks on the link to account.jsp on the home.htm page, Jrun serves the standard login.htm page for the user to enter id and password. A successful login leads the user to the account.jsp. Account.jsp is coded with "session=true", and it creates serializable objects and stores them in "session". The links on it allows the user to natigate to account_detail.jsp. Account_detail.jsp is coded with "session=true", and it accesses the previously-created "session attributes/objects". In addition, it contains the logout button which links to logout.jsp page. On the logout.jsp page, "session.invalidate()" is called. One usage scenerio: (1) user requests home.htm (2) user clicks on the link to account.jsp in home.htm (3) Jrun sends login.htm to user, and user submits corrent id/password (4) Jrun authentidates/authorizes the user, and executes/sends back account.jsp (5) user clicks the link to navigate to account_detail.jsp (6) user clicks on logout button on account_detail.jsp (7) "session.invalidate()" is called in logout.jsp before this page is sent back to user. (8) the link to home.htm on logout.jsp page allows the user to navigate back to home.htm (9) from the home.htm, the next login/access/logout sequence starts. (10) user clicks on the link to account.jsp in home.htm, same as (2) (11) Jrun sends login.htm to user, and user submits corrent id/password, same as (3) (12) Jrun authentidates/authorizes the user, and executes/sends back account.jsp, same as (4) (13) ... continues... Question: There are three types of entities: (1) jsessionID in the cookie (2) the "session" Java object in Servlet API (3) "session attributes", serializable objects that are created and stored in "session" object. The general question is (1) when each entity of the three types is generated, (2) when the previously generated entity is detroyed, (3) When each is re-generated with new value Specifically, what happens in each of the 12 steps in the usage scenerio described above?
Hi, I would think that the jsessionid and the session object are created when you call HttpServletRequest.getSession to create a new session. I guess that when you call HttpSession.invalidate and that there are no other references made to the HttpSession object, it get's garbage collected. Remember, I'm really not sure about what I'm saying here Dominic
subject: question on session creation and invalidatation