File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Servlets and the fly likes getSession and isRequestedSessionIdValid Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "getSession and isRequestedSessionIdValid" Watch "getSession and isRequestedSessionIdValid" New topic
Author

getSession and isRequestedSessionIdValid

Pat Villa
Greenhorn

Joined: Jan 05, 2004
Posts: 19
Hi!
I have the following code in my Servlet:
session = req.getSession() ;
System.out.println( "Login1: Session !valid = " + !req.isRequestedSessionIdValid() ) ;
oddly enough, it prints "Login1: Session !valid = true". My understandng is that req.getSession() would make me a new, valid session, then req.isRequestedSessionIdValid() would return true if it indeed was valid.
Is this normal? Or are the two methods related at all?
BTW, I'm using IBM WSAD 5.1 on Windows 2000
Thanks!
Jayson Falkner
Author
Ranch Hand

Joined: May 07, 2001
Posts: 57
> My understandng is that req.getSession() would make me a new,
> valid session, then req.isRequestedSessionIdValid() would
> return true if it indeed was valid.
You are sort of right. The problem is that HTTP is stateless, meaning just because you call HttpServletRequest getSession() doesn't mean the client's browser suddenly keeps session information. Usually to make a session your web server will send a cookie (jsessionid if I remember the name right...) to the client's browser in a response and on subsequent requests the browser is expected to send back the cookie to identify itself with a session in your web app.
It looks like your problem is you are only starting the session on your server, and isRequestedSessionIdValid() returns false because the client never provided a session ID since it never had one. Try browsing to the same servlet multiple times using the same browser, it should start to say 'true'.
Keep in mind also that there are several more issues that might be causing this problem, such as the browser doesn't support or refuses cookies. Kevin and I talk about these issues in detail in our book -- we have a whole chapter devoted to state management. I'm happy to help work through your example here, but if you want a full treatment on the topic, I suggest looking in to the book.


Jayson Falkner<br />jayson@jspinsider.com<br />Author of <a href="http://www.jspbook.com" target="_blank" rel="nofollow">Servlets and JavaServer Pages; the J2EE Web Tier</a>
Pat Villa
Greenhorn

Joined: Jan 05, 2004
Posts: 19
Thanks for the reply Jayson. I'll definitely consider your book when I can better afford one. Pretty tough here in the 3rd world. Plus our bookstores don't have most of the newer books.
Hmm, well ok, so how do I check for valid sessions? currently I have some code in my Login servlet:
HttpSession session = req.getSession( false ) ;

if( session != null) {
System.out.println( "Login: Session exists, invalidating..." ) ;
session.invalidate() ; // only for testing, to create new session
System.out.println( "Login: Session !valid = " + !req.isRequestedSessionIdValid() ) ;
} // if
// set request and session attributes, then forward to another Servlet/page
Then in my other pages:
HttpSession session = req.getSession( false ) ;
String page ;
if( !req.isRequestedSessionIdValid() ) {
System.out.println( "Session invalid" ) ;
page = "Login" ;
HttpUtils.forwardPage( getServletConfig().getServletContext() , page , req , resp ) ;
return ;
}
This is supposed to forward the page back to Login if there is no valid session. So a common result would be Login and one of my pages endlessly forwarding the request to each other until my test server shuts down, since "req.isRequestedSessionIdValid()" would always return false. Also, the request information passed back to Login is the same info it passed out, thus causing it to forward it out again.
My previous session checking code used to be "if( session == null )" instead of "if( !req.isRequestedSessionIdValid() )". I think my app worked ok when I used "if( session == null )", the problem was it didn't forward back to Login when a session was previously invalidated.
Pat Villa
Greenhorn

Joined: Jan 05, 2004
Posts: 19
Just an update. I tried something and it seems to be working.
From what i read, invalidate() unbinds variables from a session so I just check for the existence of an attribute. If the attribute is absent (or if session is null) then I send the user back to login.
Login:
HttpSession session = req.getSession( false ) ;

if( session != null ) {
System.out.println( "Login: Session not null" );
if( session.getAttribute( "userID" ) != null ) {
session.invalidate() ; // temporary for testing
} // if
}
// form request, session then send to other pages
Other servlets:
HttpSession session = req.getSession( false ) ;
if( session == null || ( session != null && session.getAttribute( "userID" ) == null ) ) {
page = "Login" ;
HttpUtils.forwardPage( getServletConfig().getServletContext() , page , req , resp ) ;
return ;
}
// do normal stuff
Works so far. Anything wrong with this approach?
Kevin Jones
Author
Ranch Hand

Joined: Oct 29, 2003
Posts: 39
Why not just use isNew() ?
Session sess = req.getSession();
if(sess.isNew() == true)
// go to login


Kevin Jones<br />Author: <a href="http://www.amazon.com/exec/obidos/tg/detail/-/0321136497/jranch-20" target="_blank" rel="nofollow">Servlets and JSP: The J2EE Web Tier</a>
Pat Villa
Greenhorn

Joined: Jan 05, 2004
Posts: 19
Would isNew() still return true if I haven't sent a reply yet to the client/browser and/or I've already placed attributes into the session? Like below:
Login:
session=req.getSession();
session.setAttribute( "bla" , "bla" ) ;
getServletConfig().getServletContext().getRequestDispatcher( "Servlet2" ).forward( req , resp ) ;
Servlet2:
session=req.getSession(false);
if( session.isNew() ) {
page="Login";
} else {
page="Bla.jsp";
}
getServletConfig().getServletContext().getRequestDispatcher( page ).forward( req , resp ) ;
[ January 29, 2004: Message edited by: Pat Villa ]
Kevin Jones
Author
Ranch Hand

Joined: Oct 29, 2003
Posts: 39
isNew returns true until the next request validates the session, i.e. the next request would contain the cookie or url re-written session-id that shows this session has been recognised by the client
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: getSession and isRequestedSessionIdValid