aspose file tools*
The moose likes Servlets and the fly likes request.getSession(false) not working Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "request.getSession(false) not working" Watch "request.getSession(false) not working" New topic
Author

request.getSession(false) not working

Brian R. Wainwright
Ranch Hand

Joined: Aug 12, 2003
Posts: 92
Hey all,
Has anyone ever had any problems with request.getSession(false) in Tomcat 4.1.29 on Mac OS 10.3.3 with Struts? I'm using it and, unless I'm mistaken about the way it's supposed to behave, it is not doing what it should be. For example:

This above code SHOULD redirect to the login page if the session is no longer valid (it has timed out). Instead, it creates a NEW session, with a NEW sesion ID, new create time etc..... and continues on its merry way - all things it shoudn't do if I pass "false" to the method. Perhaps, I'm just being stupid about this.... please say I'm just being stupid about this....
Thanks.
--BW
Brahim Bakayoko
Ranch Hand

Joined: Aug 29, 2003
Posts: 155
HttpSession session = request.getSession(false);
returns a null object if no session exist (session has expired).
So, calling logger.debug("SESSION ID: " + session.getId());
throws an exception.
if(session == null) {} is never reached when the session is null.


SCJP, SCWCD, SCBCD, IBM CSD WebSphere v5, <br />A+, MCP 2000 and 2000 server, CST, and few incompleted certification tracks.<br /> <br />Ivory Coast<br /> <br />Analyze your web Request/Response @ <a href="http://webtools.servehttp.com" target="_blank" rel="nofollow">http://webtools.servehttp.com</a> down for a while...
Brian R. Wainwright
Ranch Hand

Joined: Aug 12, 2003
Posts: 92
So, calling logger.debug("SESSION ID: " + session.getId());
throws an exception

It SHOULD throw an exception, but it never does. Instead getSession(false) creates a brand spanking new session and the null test fails as a result.
Brahim Bakayoko
Ranch Hand

Joined: Aug 29, 2003
Posts: 155
In that case, a new session is being created passively by a jsp or actively by a servlet (check your code) <code your jsps to not create sessions).
Brian R. Wainwright
Ranch Hand

Joined: Aug 12, 2003
Posts: 92
hmmmm... thanks for the reply Brahim... I think you may be on to something, but not in the way you're suggesting. If I load a jsp and let it sit idle beyond the specified session-timeout and then execute the action/servlet, I STILL get a new session - the jsp isn't involved in this case. However.... the form on the jsp is a Struts ActionForm with request scope that I suppose could be behaving badly when it gets submitted. It shouldn't care about the session though, so I don't know. My gut feeling is that Struts is the problem somehow since I've been able to duplicate the issue on Solaris with Tomcat 5.0.x - so it doesn't seem to be a servlet container implementation. Not to try and change the forum, but does anyone with familiarity with Struts happen to know if any of the Action classes (DispatchAction in this case) calls getSession()....? I'll take a look at the source code myself, but I wanna keep this thread going since the problems I'm having fly in the face of everything I know about HttpSessions.... Thanks!
Brahim Bakayoko
Ranch Hand

Joined: Aug 29, 2003
Posts: 155
hum...
The issue is not with Struts.
Did you add "<%@page session='false' "%> to all involved JSPs?
Did you make sure that none of your servlets are calling req.getSession() or req.getSession(true)?
What you are experiencing is an effect of a poor design pattern.
If you want to control the creation and/or untimed destruction of sessions, do it in a single servlet and preferably a filter.
Everywhere else:
- add "<%@page session='false' "%> to all JSPs
- call on .getSession(false) when in servlets
- test for nullity on the session object
- dispatch where appropriate if null
Also, since you are debugging your application, you should think of calling on session.invalidate() rather than waiting for the session to time out for your testing. You could save some time.
Brian R. Wainwright
Ranch Hand

Joined: Aug 12, 2003
Posts: 92
Hey Brahim,
Thanks again for the reply.
Did you add "<%@page session='false' "%> to all involved JSPs?

I haven't because I need access to the session in most of my JSP's. I'm storing such things as the currently logged in user and other stuff. Setting that to false will preclude me from doing so will it not?
Besides, it still doesn't explain some of the odd behavior I cited above. If the browser is inactive beyond timeout and the ONLY subsequent user interaction is submitting a form that calls some servlet code that, before it does anything else, calls getSession(false), then it couldn't be the JSP that's creating the new session. Know what I mean? If all my navigation is controlled by a servlet (in my case Struts Actions) and the first thing that it does is check the validity of the session object (through getSession(false) and then a null check on the result) then it follows that the JSP never comes into it. The JSP's should be using the same session and, if they're loaded outside of servlet that implements the above code, then yeah, I'd expect a new session. But I don't expect a new session when in the other circumstance.
Here's some debug statements that may indicate what's going on..
On login at 16:46:53 a new session is created with a timeout of 60 seconds.

Then, ~3 minutes later at 16:50:14 - when the other session has timed out. A button is clicked that calls some code that has as its first statement session = request.getSession(false). The result of which is a new session.... or so it appears...

It doesn't make sense....
--BW
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61769
    
  67

Have you tried using a session listener to figure out if it is your call that is creating the session or if something else is doing it before your code executes?


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Brian R. Wainwright
Ranch Hand

Joined: Aug 12, 2003
Posts: 92
Hi Bear,
I haven't yet done that. I was hoping to avoid doing it - I guess out of sheer laziness - but at this point it's probably a good idea (actually, its a tight deadline and.. blah blah....). I'll keep ya'll posted.
Brian R. Wainwright
Ranch Hand

Joined: Aug 12, 2003
Posts: 92
Hi Guys,
So I implemented an HttpSessionListener and was able to determine that SOMETHING else is creating my sessions before I call getSession(false);
Just to see what happens the sessionCreated and sessionDestroyed methods just log the session ID and some text.

I suppose I'll have to take a look at my Struts config and see if there's some forwarding going on that could be creating a request prior to the action method being called. Does anyone have any other ideas?
--BW
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: request.getSession(false) not working