This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Servlets and the fly likes Same SessionID after invalidating Session Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Same SessionID after invalidating Session" Watch "Same SessionID after invalidating Session" New topic
Author

Same SessionID after invalidating Session

Hariharasudhan Kalyani Sundaram
Greenhorn

Joined: Jan 31, 2006
Posts: 2
Hi all,

I am using WL 8.1 and I am invalidating the session using session.invalidate() in my servlet.After invalidating I am creating one more session in the same servlet.I am printing the sessionId before Invalidation and after Invalidation both are same.

Any Clue?

log.debug("Before deleting the exixsting sessions");
log.debug("try to print the sessionID to check ------> : "+session.getId());
if(session!=null)
{
session.invalidate();
}

log.debug("After invalidating the session");


session = request.getSession(true);

log.debug("Before setting the session attributes to new Session ");
log.debug("After overwriting Session ID :"+session.getId());

log.debug("After overwriting Session created time :"+session.getCreationTime());


Thanks in Advance


The safest Place for ship is harbor but it is never built for that
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

This is perfectly valid. The session is stored on the server, the session ID is a way of referring to it. If the server session gets replaced with another instance, then life can go on as normal. It doesn't matter whether the session ID is the same or different.
Amit Ghorpade
Bartender

Joined: Jun 06, 2007
Posts: 2716
    
    6

Hi Hariharasudhan Kalyani Sundaram welcome to Javaranch,
I am using WL 8.1 and I am invalidating the session

First things first, UseRealWords WL is not a real word.

And there is no problem if you get same session id more than once if its not in use, after all it is generated at random.
Check if the session still exists.

Please take some time to read the Ask Good Questions link below so that you get more from the ranch.


Hope this helps .


SCJP, SCWCD.
|Asking Good Questions|
Hariharasudhan Kalyani Sundaram
Greenhorn

Joined: Jan 31, 2006
Posts: 2
Thanks
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

You're welcome.
and Welcome
Raghavan Muthu
Ranch Hand

Joined: Apr 20, 2006
Posts: 3344

Originally posted by David O'Meara:
You're welcome.
and Welcome


That's nice to read David


Everything has got its own deadline including one's EGO!
[CodeBarn] [Java Concepts-easily] [Corey's articles] [SCJP-SUN] [Servlet Examples] [Java Beginners FAQ] [Sun-Java Tutorials] [Java Coding Guidelines]
Jetendra Ivaturi
Ranch Hand

Joined: Feb 08, 2007
Posts: 159
Its a bug in weblogic server.

Please post the same in weblogic forum and you could expect some work around.

As of my knowledge its a bug in weblogic server.


SCJP 1.4 & 1.5, SCWCD 1.5. Learn and Let Learn.
Raghavan Muthu
Ranch Hand

Joined: Apr 20, 2006
Posts: 3344

Yes, seems to be and may possibly be! Even then, if the session is destroyed and what's wrong in using the same id for the newly created session? So long as the session is valid, what else the user should be concerned for? -- Isn't it a different perspective to think of?
Jetendra Ivaturi
Ranch Hand

Joined: Feb 08, 2007
Posts: 159
Yes you are right... But that's how its designed. Try experimenting some other server. I believe there's a request for the same.

Shortly we might expect that the bug be fixed...
Amit Ghorpade
Bartender

Joined: Jun 06, 2007
Posts: 2716
    
    6

Originally posted by Jetendra Ivaturi
Its a bug in weblogic server.

Please post the same in weblogic forum and you could expect some work around.

As of my knowledge its a bug in weblogic server.


What makes you think that it is a bug in the server?
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

I agree: why a bug? Possibly not the expected behaviour, sure, but that doesn't make it a bug. The only way it would be a bug was if it was different to the behaviour specified in the Servlet Specification, but to my knowledge it is not specified and I'm not going looking for it. I am not aware of the behaviour on all servers, but I'm sure a previous version of Tomcat did the same thing.
Jetendra Ivaturi
Ranch Hand

Joined: Feb 08, 2007
Posts: 159
I have worked on weblogic for quite some time. That made me to tell that as bug. Research is going on that.
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

I don't doubt your experience, just the interpretation.
Amit Ghorpade
Bartender

Joined: Jun 06, 2007
Posts: 2716
    
    6

That made me to tell that as bug. Research is going on that.

Where is it mentioned that research is going on for the same?
I could not find any such thing mentioned on the BEA site.

And David is right, the servlet container should follow the specification, the implementation is vendor specific.


Hope this helps .
 
 
subject: Same SessionID after invalidating Session
 
Similar Threads
creating new session after invalidation in same request
Problems invalidating HttpSession
getting session using burp suite professional
Tomcat 5.5.26 -IE7 Session issue
session ID changes