File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Session exists even before we have logged in Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Session exists even before we have logged in" Watch "Session exists even before we have logged in" New topic
Author

Session exists even before we have logged in

Parth Twari
Ranch Hand

Joined: Jan 20, 2010
Posts: 163
Source: Marcus

Which of the following classes is appropriate for monitoring when users sign into the system and recording it in the log.

A. ApplicationContextAttributeListener
B. HttpSessionListener
C. HttpSessionActivationListener
D. HttpLoginListener
E. ServletContextListener

Given answer: B

i also though B is the answer but then I thought, why?

See a HttpSession can be created even when the user is not logged in.
For ex: I add items to shopping cart and login only if I wish to check out.
The main point of having session is to keep track of user without asking him to login to the site otherwise we could have used HTTPS built in mechanism all the time to keep track of user.

So why is it said that if you want to log people who are logging in to the website then use HttpSessionListener?

Parth Tiwari
| Pursuing Bachelor of Engineering | OSUM Club Leader | SCJP 6 | SCWCD 5 |...
Frits Walraven
Creator of Enthuware JWS+ V6
Bartender

Joined: Apr 07, 2010
Posts: 1675
    
  25

See a HttpSession can be created even when the user is not logged in.

True, but you can see whether somebody has logged in by using the request.getUserPrincipal() method

See also this section of the specs:
SRV.12.10 Login and Logout
Being logged in to a web application corresponds precisely to there being a
valid non-null value in getUserPrincipal method, discussed in SRV.12.3 and the
javadoc. A null value in that method indicates that a user is logged out.
Containers may create HTTP Session objects to track login state. If a
developer creates a session while a user is not authenticated, and the container
then authenticates the user, the session visible to developer code after login must
be the same session object that was created prior to login occurring so that there is
no loss of session information.

Regards,
Frits

Parth Twari
Ranch Hand

Joined: Jan 20, 2010
Posts: 163
ok.. so you mean the sessionCreated method will run whenever a new session is created and you can check that this session is created because someone has logged in(using getUserprincipal or getRemoteUser methods) or in general.

If these methods return non null value then an entry is made in logs that new user has logged in.


But see this line in spec
If a developer creates a session while a user is not authenticated, and the container
then authenticates the user, the session visible to developer code after login must
be the same session object that was created prior to login occurring so that there is
no loss of session information.


There is no new session created if user logs in after he was allready using a session. So this means the sessionCreated method will not be running again and we will not be able to log this user into the session. Right?
Frits Walraven
Creator of Enthuware JWS+ V6
Bartender

Joined: Apr 07, 2010
Posts: 1675
    
  25

There is no new session created if user logs in after he was allready using a session. So this means the sessionCreated method will not be running again and we will not be able to log this user into the session. Right?

Yes, so monitoring users that are logged in (authenticated) is not possible by only implementing a HttpSessionListener.

So the answer is depends on whether the users are logged in immediatly into the system and that we don't know....

Regards,
Frits
Parth Twari
Ranch Hand

Joined: Jan 20, 2010
Posts: 163
Hey Frits,

I think the best listener would be HttpSessionAttributeListener because Containers may create HTTP Session objects to track login state and if they do they will store attributes in the user's session, such as the user's security related information and if that happens then the attributeAdded method will be called on HttpSessionAttributeListener.

So, the attributeAdded method is a perfect place to log such information.

But this is another container specific thing.
Parth Twari
Ranch Hand

Joined: Jan 20, 2010
Posts: 163
Doesn't anyone think the same(that best listener would be HttpSessionAttributeListener )?
Frits Walraven
Creator of Enthuware JWS+ V6
Bartender

Joined: Apr 07, 2010
Posts: 1675
    
  25

Hi Parth,
Containers may create HTTP Session objects to track login state and if they do they will store attributes in the user's session, such as the user's security related information and if that happens then the attributeAdded method will be called on HttpSessionAttributeListener.

There is nowhere writen in the specs that certain security attributes should be available in the HttpSession object. (for instance: tomcat doesn't add anything to the session object, after a user has logged in)

I think that if you really want track who is logged in that you can't do that with a listener alone (unless that you always have to log in).

Regards,
Frits
Parth Twari
Ranch Hand

Joined: Jan 20, 2010
Posts: 163
Ok.. thanks..
Abimaran Kugathasan
Ranch Hand

Joined: Nov 04, 2009
Posts: 2066

What is the solution for this? Can't we use HttpSessionEvent objects to notify when a session had been changed by user log in?


|BSc in Electronic Eng| |SCJP 6.0 91%| |SCWCD 5 92%|
Parth Twari
Ranch Hand

Joined: Jan 20, 2010
Posts: 163
What is the solution for this? Can't we use HttpSessionEvent objects to notify when a session had been changed by user log in?


I think that if you really want track who is logged in that you can't do that with a listener alone (unless that you always have to log in).

If a session allready exists then it is not changed or anything by user login.
Frits Walraven
Creator of Enthuware JWS+ V6
Bartender

Joined: Apr 07, 2010
Posts: 1675
    
  25

What is the solution for this? Can't we use HttpSessionEvent objects to notify when a session had been changed by user log in?

If you want to log all the user that are logged into the system you could do it with a Filter. For every user that is logged in you could add an attribute to the HttpSession object.

Just to give an idea:

and a filter definition like this:
Parth Twari
Ranch Hand

Joined: Jan 20, 2010
Posts: 163
thanks Frits , you have really helped..
Abimaran Kugathasan
Ranch Hand

Joined: Nov 04, 2009
Posts: 2066

Thanks Frits!
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Session exists even before we have logged in