wood burning stoves 2.0*
The moose likes Servlets and the fly likes Deleting session deletes all my sessions Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Deleting session deletes all my sessions" Watch "Deleting session deletes all my sessions" New topic
Author

Deleting session deletes all my sessions

shaf maff
Ranch Hand

Joined: Sep 07, 2008
Posts: 180
Hi Guys

I have a dataSession which stores data the user has entered. Now when I want to delete this session, all of my other sessions (userSession, mailSession etc) get deleted too. See code below:

Declaration:


Adding the session:


Deleting the session

[ September 27, 2008: Message edited by: shaf maff ]
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60781
    
  65

Other sessions? You only get one at a time. What do you mean by "dataSession"? There's only the concept of an HTTP session.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
shaf maff
Ranch Hand

Joined: Sep 07, 2008
Posts: 180
Well, I have other sessions which store user login data and so on. dataSession stores data the user has entered into a form. What Im saying is if I invalidate dataSession, why is it also invalidating my user login session?
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12761
    
    5
why is it also invalidating my user login session?


How about because you made your getDataSession an instance variable - visible to any request. You should never use a servlet instance variable for user specific object references.

Alternately, you have a misconception about what an HttpSession is - there is only one per session. The different names used for attributes are just keys to a hashmap.

Bill
[ September 27, 2008: Message edited by: William Brogden ]
shaf maff
Ranch Hand

Joined: Sep 07, 2008
Posts: 180
Hi Willam

Can you elaborate on the following:

How about because you made your getDataSession an instance variable - visible to any request. You should never use a servlet instance variable for user specific object references.


It looks like I have some more work to do with sessions then.. So how do you delete a session attribute?








.
[ September 27, 2008: Message edited by: shaf maff ]
Steve Luke
Bartender

Joined: Jan 28, 2003
Posts: 4167
    
  21

Originally posted by shaf maff:
Hi Willam

Can you elaborate on the following:



It looks like I have some more work to do with sessions then.. So how do you delete a session attribute?

[ September 27, 2008: Message edited by: shaf maff ]


Set it to null.

Don't forget to STOP storing the HTTPSession as an instance variable for the servlet.


Steve
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60781
    
  65

shaf maff, please avoid "ninja edits" in the future. This is where you go and change your post after someone has already posted a response. You changed your original post rather substantially after I responded, and now my response looks somewhat confusing and foolish. Future readers of this topic could get confused. Please don't do that in the future.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60781
    
  65

And as the others have pointed out, what you are calling "sessions" are nothing of the kind. They are scoped variables that you are storing in the single session. When you invalidate the session, you remove all of its scoped variables.

To remove a scoped variable, use removeAttribute().

And, never ever use instance variables in a servlet.
[ September 27, 2008: Message edited by: Bear Bibeault ]
Steve Luke
Bartender

Joined: Jan 28, 2003
Posts: 4167
    
  21

Originally posted by Bear Bibeault:
To remove a scoped variable, use removeAttribute().


Dear god there is a removeAttribute method. And one in ServletRequest and ServletContext as well. I have always used setAttribute(name, null). Now I feel like a dolt (Why didn't I notice they were there when I was learning this stuff...).
shaf maff
Ranch Hand

Joined: Sep 07, 2008
Posts: 180
Thanks for the replies guys.

Bear: I'll try not to.

So, what is an instance variable (excuse me, Ive only been coding in servlets for a month and a bit)? If you mean a class object, why not? I do that because I dont want to make too many db requests so I get all the records from db, store then into a class instance, store that instance into a list and that list into a session. Whenever I need the data I simply get it from the session which makes it quicker and reduces the load on the mysql server.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60781
    
  65

Instance variables make your servlet non-thread-safe.
shaf maff
Ranch Hand

Joined: Sep 07, 2008
Posts: 180
What does that mean?
Steve Luke
Bartender

Joined: Jan 28, 2003
Posts: 4167
    
  21

Originally posted by shaf maff:
What does that mean?


Each request made to a servlet uses a different thread, and the same servlet instance. When you store data in the servlet instance than all requests see the same data. If you have multiple people visiting your page they will all see the same data, and if one person is attempting to view the data while another is trying to change it un-predictable bad things will happen. Things like people seeing another person's private data, login information, and the like.

All this is bad, and needs to be avoided in order to keep your application safe.
shaf maff
Ranch Hand

Joined: Sep 07, 2008
Posts: 180
Ah, that sounds terrible. So the dreaded question, does it effect my application? Here is its description (copy/pasted from above):

If you mean a class object, why not? I do that because I dont want to make too many db requests so I get all the records from db, store then into a class instance, store that instance into a list and that list into a session. Whenever I need the data I simply get it from the session which makes it quicker and reduces the load on the mysql server.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60781
    
  65

Any variable not declared within a method is unsafe unless it is set at initialization and then only treated in a read-only manner.
shaf maff
Ranch Hand

Joined: Sep 07, 2008
Posts: 180
Ok so I have the following in the the servlet class and not in any methods:



Some of these are initialised and have the data inserted and then used for read only in other servlets. Others are declared as such so they can be accessed by all the methods. Do I have to declare all of these in their respective methods and use the return method instead?

[ September 27, 2008: Message edited by: shaf maff ]
[ September 27, 2008: Message edited by: shaf maff ]
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60781
    
  65

Any instance variables that you are using merely to share the data across methods is unsafe and must be refactored.
shaf maff
Ranch Hand

Joined: Sep 07, 2008
Posts: 180
Ah. Ok, so I need some insight into how I am going to handle the following problem then. Once a user has logged in I store his id, address etc in a class and that class is placed into a session variable. I need to use the id in many many places to verify the user and also when inserting data into the db. If storing his data in such a way is potentially dangerous how do you suggest I handle this?
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60781
    
  65

In a JSP, fetch it from the session. That's what it's there for. If it's needed in other methods, pass it as a parameter.
shaf maff
Ranch Hand

Joined: Sep 07, 2008
Posts: 180
Thanks bear. I have managed to move all of the instance variables into their respective methods and used return statements instead. I have two more questions though:

1. I declare my class objects in the methods and then store them into the session. Just to confirm that this is ok ?

2. What about enums? Can they also be declared as instance variables and have variables in them? Or must they also be declared locally to the method?
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60781
    
  65

I'm not sure what you mean by (1).

Enums can be declared anywhere -- declaring them is akin to declaring a class. But variables need to follow the same rules, whether they are enums or not.
shaf maff
Ranch Hand

Joined: Sep 07, 2008
Posts: 180
Thanks. Here is the code for question 1:

Is the above fine? Would it also be ok if I place the httpsession as a instance variable will that cause any problems?
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60781
    
  65

Originally posted by shaf maff:
Would it also be ok if I place the httpsession as a instance variable will that cause any problems?

This is a concept that is paramount that you understand before you write another single line of servlet code.

So I'm not going to answer it: you are.

Imagine that two requests get made at the same time so that two threads are executing the code a the same time.

Is the instance variable a problem or not?
shaf maff
Ranch Hand

Joined: Sep 07, 2008
Posts: 180
Yes it is. Any instance var will casue problems unless it is used for initialisation only. So something like private String htm = "1"; will cause problems but if I called a class (MyClass c) and then created an instance of it in the method then that is fine..

That is what I understand from our discussion.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60781
    
  65

Yes, variables created inside methods are safe because each thread will get their own copies. Instance variables are unsafe because they are shared across all threads.
Sastry Kuppa
Greenhorn

Joined: Oct 02, 2008
Posts: 4
Originally posted by Bear Bibeault:
Yes, variables created inside methods are safe because each thread will get their own copies. Instance variables are unsafe because they are shared across all threads.


Hello Gurus!
...have a question here, please?!
Does the statements above imply that only service() method is multi-threaded(in any servlet with multi-threaded model); anyways the init() and destroy() come once in a lifetime.

Any thoughts?!
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60781
    
  65

"Got IT",

There aren't many rules that you need to worry about here on the Ranch, but one that we take very seriously regards the use of proper names. Please take a look at the JavaRanch Naming Policy and adjust your display name to match it.

In particular, your display name must be a first and a last name separated by a space character, and must not be obviously fictitious.

Thanks!
bear
JavaRanch Sheriff
Sastry Kuppa
Greenhorn

Joined: Oct 02, 2008
Posts: 4
Apologies.
I've taken out the mask
Hope we can continue the discussion...
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18541
    
    8

"sas", please read the previous post by Bear Bibeault and the JavaRanch naming policy that it linked to. Your screen name still does not conform to that policy. Please change it to something which does.
 
 
subject: Deleting session deletes all my sessions
 
Similar Threads
Same SessionID after invalidating Session
Doubt on session() and session(false)
Session and cookies
HttpSession
Who Creates the HttpSession , User or Weblogic