aspose file tools*
The moose likes Servlets and the fly likes Session is not invalidated Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Session is not invalidated" Watch "Session is not invalidated" New topic
Author

Session is not invalidated

Timothy Sam
Ranch Hand

Joined: Sep 18, 2005
Posts: 746
Hi guys! I have the following code...




Now, this logoff servlet is called from another application. Basically, app1 has its own session and so is app2.

When a user clicks logoff in app1, app1 makes a call to app2's logoff servlet. Howeve, it seems that only app1's session is destroyed and not app2. It should be both. What could be the problem here? Thanks!


SCJP 1.5
http://devpinoy.org/blogs/lamia/ - http://everypesocounts.com/
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Sessions are not cross context.
You will need to explicitly invalidate the session in each context.


Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
Timothy Sam
Ranch Hand

Joined: Sep 18, 2005
Posts: 746
Yes, that is why I made a redirect from app1 to app2's logoff servlet. Let's say app1 has its own servlet to invalidate its session, and app2 also has that also. What happens is this:

app1's loggoff buttons is clicked
app1's logoff servlet executes and invalidates its session
app1's logoff servlet redirect to app2's logoff servlet
app2's logoff servlet executes and redirect to some other page/site


or is this totally impossible? Thanks!
Timothy Sam
Ranch Hand

Joined: Sep 18, 2005
Posts: 746
Yes, that is why I made a redirect from app1 to app2's logoff servlet. Let's say app1 has its own servlet to invalidate its session, and app2 also has that also. What happens is this:

app1's loggoff buttons is clicked
app1's logoff servlet executes and invalidates its session
app1's logoff servlet redirect to app2's logoff servlet
app2's logoff servlet executes and redirect to some other page/site


or is this totally impossible? app2 BTW is in an iFrame. Thanks!
Subhadip Chatterjee
Ranch Hand

Joined: Dec 12, 2006
Posts: 93
Hi,
Please correct me if i am wrong. When you are clicking on LogOff from App1, it's passing the request to App2. Now, the Servlet class, that you have texted here, is the one used by App2. Alright...Now, in the servlet you are creating Session, from the request, which is coming from App1. Hence, it will create a session of App1's. Session.invalidate(), clears of everything from App1's session.
I don't think, you can pass the request from App1 to App2, to close the Session of App2;'cauz App1's session doesn't necessarily maintain App2's session, unless it's kind of single sign-on or, common Header space for both the Apps.
Let's see it with an example; Let's say, App1 is a portal, where you log in. That creates a session in App1. From App1, you have got a link to go to App2, which is taking some user info from App1 header & starts it's own session. Now, if you log-off from App2, that doesn't mean, you are invalidating the session of App1 also.
I hope, you are clear with what point I am trying to drive straight home.


Refreshing life every moment...
Timothy Sam
Ranch Hand

Joined: Sep 18, 2005
Posts: 746
Subhadip Chatterjee

Thanks! You actually got it clear and I get your point. Hmmm... What could be a possible workaround? I'm thinking of just passing everything from request to request instead of session but it seems very insecure. App2 had to be a separate one since App1 is an app from our client and they happen to be just outsourcing App2 to us.
Subhadip Chatterjee
Ranch Hand

Joined: Dec 12, 2006
Posts: 93
Hi Sam,
It's good to hear that you understood my example. I am also gonna work on this to find a solution for you, as well. But passing request (RequestDispatcher) only works in individual Servlet Contexts, it's not a cross-context stuff. So, we both have to do a little thinking over that.If you come up, with something, post that for folks sake, 'cauz that will be really helpful.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Session is not invalidated