Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

getSession and isRequestedSessionIdValid

 
Pat Villa
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi!
I have the following code in my Servlet:
session = req.getSession() ;
System.out.println( "Login1: Session !valid = " + !req.isRequestedSessionIdValid() ) ;
oddly enough, it prints "Login1: Session !valid = true". My understandng is that req.getSession() would make me a new, valid session, then req.isRequestedSessionIdValid() would return true if it indeed was valid.
Is this normal? Or are the two methods related at all?
BTW, I'm using IBM WSAD 5.1 on Windows 2000
Thanks!
 
Jayson Falkner
Author
Ranch Hand
Posts: 57
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
> My understandng is that req.getSession() would make me a new,
> valid session, then req.isRequestedSessionIdValid() would
> return true if it indeed was valid.
You are sort of right. The problem is that HTTP is stateless, meaning just because you call HttpServletRequest getSession() doesn't mean the client's browser suddenly keeps session information. Usually to make a session your web server will send a cookie (jsessionid if I remember the name right...) to the client's browser in a response and on subsequent requests the browser is expected to send back the cookie to identify itself with a session in your web app.
It looks like your problem is you are only starting the session on your server, and isRequestedSessionIdValid() returns false because the client never provided a session ID since it never had one. Try browsing to the same servlet multiple times using the same browser, it should start to say 'true'.
Keep in mind also that there are several more issues that might be causing this problem, such as the browser doesn't support or refuses cookies. Kevin and I talk about these issues in detail in our book -- we have a whole chapter devoted to state management. I'm happy to help work through your example here, but if you want a full treatment on the topic, I suggest looking in to the book.
 
Pat Villa
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the reply Jayson. I'll definitely consider your book when I can better afford one. Pretty tough here in the 3rd world. Plus our bookstores don't have most of the newer books.
Hmm, well ok, so how do I check for valid sessions? currently I have some code in my Login servlet:
HttpSession session = req.getSession( false ) ;

if( session != null) {
System.out.println( "Login: Session exists, invalidating..." ) ;
session.invalidate() ; // only for testing, to create new session
System.out.println( "Login: Session !valid = " + !req.isRequestedSessionIdValid() ) ;
} // if
// set request and session attributes, then forward to another Servlet/page
Then in my other pages:
HttpSession session = req.getSession( false ) ;
String page ;
if( !req.isRequestedSessionIdValid() ) {
System.out.println( "Session invalid" ) ;
page = "Login" ;
HttpUtils.forwardPage( getServletConfig().getServletContext() , page , req , resp ) ;
return ;
}
This is supposed to forward the page back to Login if there is no valid session. So a common result would be Login and one of my pages endlessly forwarding the request to each other until my test server shuts down, since "req.isRequestedSessionIdValid()" would always return false. Also, the request information passed back to Login is the same info it passed out, thus causing it to forward it out again.
My previous session checking code used to be "if( session == null )" instead of "if( !req.isRequestedSessionIdValid() )". I think my app worked ok when I used "if( session == null )", the problem was it didn't forward back to Login when a session was previously invalidated.
 
Pat Villa
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Just an update. I tried something and it seems to be working.
From what i read, invalidate() unbinds variables from a session so I just check for the existence of an attribute. If the attribute is absent (or if session is null) then I send the user back to login.
Login:
HttpSession session = req.getSession( false ) ;

if( session != null ) {
System.out.println( "Login: Session not null" );
if( session.getAttribute( "userID" ) != null ) {
session.invalidate() ; // temporary for testing
} // if
}
// form request, session then send to other pages
Other servlets:
HttpSession session = req.getSession( false ) ;
if( session == null || ( session != null && session.getAttribute( "userID" ) == null ) ) {
page = "Login" ;
HttpUtils.forwardPage( getServletConfig().getServletContext() , page , req , resp ) ;
return ;
}
// do normal stuff
Works so far. Anything wrong with this approach?
 
Kevin Jones
Author
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why not just use isNew() ?
Session sess = req.getSession();
if(sess.isNew() == true)
// go to login
 
Pat Villa
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Would isNew() still return true if I haven't sent a reply yet to the client/browser and/or I've already placed attributes into the session? Like below:
Login:
session=req.getSession();
session.setAttribute( "bla" , "bla" ) ;
getServletConfig().getServletContext().getRequestDispatcher( "Servlet2" ).forward( req , resp ) ;
Servlet2:
session=req.getSession(false);
if( session.isNew() ) {
page="Login";
} else {
page="Bla.jsp";
}
getServletConfig().getServletContext().getRequestDispatcher( page ).forward( req , resp ) ;
[ January 29, 2004: Message edited by: Pat Villa ]
 
Kevin Jones
Author
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
isNew returns true until the next request validates the session, i.e. the next request would contain the cookie or url re-written session-id that shows this session has been recognised by the client
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic