File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JSP and the fly likes What is the equivalent to scriptlets for invalidating the session in jsp Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Java » JSP
Bookmark "What is the equivalent to scriptlets for invalidating the session in jsp" Watch "What is the equivalent to scriptlets for invalidating the session in jsp" New topic
Author

What is the equivalent to scriptlets for invalidating the session in jsp

Rajani Gummadi
Ranch Hand

Joined: Dec 17, 2010
Posts: 48
Hi All,

I'm newbie learning jsp and servlets. Please guide me in knowing the equivalent code to invalidate the session in jsp using expression language or jstl. Currently I'm writing as



Also is it advisable to invalidate the session in the login page before a form is submitted to a servlet.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61317
    
  66

There isn't any. And nor should there be. Invalidating the session has nothing to do with generating a view and is not something that should be done within a JSP.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Alex Hurtt
Ranch Hand

Joined: Oct 26, 2010
Posts: 98
Probably not a good idea. If you can shed some light on why you feel you need to do this in a JSP we might be able to help you figure out a better alternative solution. But without more details we can only say, probably not a good idea to do this.
Rajani Gummadi
Ranch Hand

Joined: Dec 17, 2010
Posts: 48
I was working on some sample application with a login page and some other dummy page. After submitting the form to servlet, the servlet authenticates the user and redirects to some other page. Simple flow.

I'm checking for session in my servlet, if it does not exist, I'm creating one and adding the userid as an attribute to the session.



Above code is just a template, I have not put much of processing in this. When the user logs in first, I'm expecting the session to be null and the session needs to be created for the first time..

But may be because of the jsp, the session is implicitly created, even before it reaches the session, which I wanted to avoid. So I thought of invalidating the session in the jsp as below before submitting the form



I was able to achieve what I wanted with this code (Not having session for the first time), but I was not sure, if that is the right approach. I agree that invalidating session in view is not recommended, but how can my task be achieved in other way.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61317
    
  66

You should stop worrying about this at the session level. Put an object in the session after validation and check for it rather than the session. To log out, remove the object. Don't bother invalidating the session.
Rajani Gummadi
Ranch Hand

Joined: Dec 17, 2010
Posts: 48
Bear Bibeault wrote:You should stop worrying about this at the session level. Put an object in the session after validation and check for it rather than the session. To log out, remove the object. Don't bother invalidating the session.


Hi Bear,

I think, I did not really follow your suggestion. Would you mind elaborating it more. Are you saying that instead of invalidating the session, after the user is authenticated, the user is added to session (or some other object into session) and check for the presence of this object in session to see if session is still active or not. I think, for this I need to set the session time out in web.xml.

"To log out, remove the object.". I did not follow how the user would be logged out, if we remove the object from session. Removing the object, would not kill the session. Please correct me.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61317
    
  66

Stop thinking in terms of a "valid session". The session isn't what's important; it's what's in the session.
Rajani Gummadi
Ranch Hand

Joined: Dec 17, 2010
Posts: 48
Thanks Bear, but please bear with me and help me understand this concept.

"To log out, remove the object. Don't bother invalidating the session." Please confirm, the object removal process. Did you mean, this to be achieved by session time out in web.xml Or Did you mean calling "removeAttribute" on session. But when do we call this?
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61317
    
  66

It's simple really:

  • Upon login, place an object in the session (a User object for example, but it could be anything)
  • Check for authentication by seeing if such an object is in the session.
  • For logout, simply remove the object.
  • A session timout will automatically make the object go away, so it's an implicit logout.


  • This gets you completely out of the business of worrying about the session itself.
     
    GeeCON Prague 2014
     
    subject: What is the equivalent to scriptlets for invalidating the session in jsp