wood burning stoves 2.0*
The moose likes JSP and the fly likes request.getSession(false) Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCA/OCP Java SE 7 Programmer I & II Study Guide this week in the OCPJP forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "request.getSession(false)" Watch "request.getSession(false)" New topic
Author

request.getSession(false)

Deepti Gupta
Ranch Hand

Joined: Jul 22, 2010
Posts: 30
Hi,
Me and my friends are working in a project and we are stuck with the following problem:

the result of request.getSession(false) is not returning "null" whenever the session is not present but it is properly rturning the session name when the session is present. The session name defers as it is dependent on the name of the user logged on. We want to check the null condition to know that the session is valid.

Please Help.

thanks.
Jesus Angeles
Ranch Hand

Joined: Feb 26, 2005
Posts: 2057
Deepti Gupta wrote:
the result of request.getSession(false) is not returning "null"


What is it returning? When you are expecting it to be null, and it is not null, try display the contents of the session and see if it came from previous session. The session may still be alive, although you did like close the browser.

Does this happen even on the very first transaction after you start the server?
Tuna Töre
Ranch Hand

Joined: Aug 17, 2008
Posts: 219

Hi,

Try to read Servlet spec

getSession
public HttpSession getSession(boolean create)Returns the current HttpSession associated with this request or, if there is no current session and create is true, returns a new session.
If create is false and the request has no valid HttpSession, this method returns null.



getSession
public HttpSession getSession() Returns the current session associated with this request, or if the request does not have a session, creates one.



Tuna TÖRE






blog: http://tunatore.wordpress.com
SCJP 6.0 + SCWCD 1.5
Deepti Gupta
Ranch Hand

Joined: Jul 22, 2010
Posts: 30
its returning garbage value
Jesus Angeles
Ranch Hand

Joined: Feb 26, 2005
Posts: 2057
Deepti Gupta wrote:its returning garbage value
What garbage value? Can you paste here?
Deepti Gupta
Ranch Hand

Joined: Jul 22, 2010
Posts: 30
the garbage value is:

AB600CA19E67F87970A69524F689AF4B


and its different on different systems.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61457
    
  67

What are you really trying to accomplish? Checking for the presences of a session is rarely a good approach.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Deepti Gupta
Ranch Hand

Joined: Jul 22, 2010
Posts: 30
We are checking session to build a secure login page.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61457
    
  67

Bad idea. You don't want to check for the session itself, but for data that you put into a session.
jinx riley
Greenhorn

Joined: Apr 27, 2011
Posts: 5
Bear Bibeault wrote:Bad idea. You don't want to check for the session itself, but for data that you put into a session.



hello, i am a team member in this project.
actually fo secure login we're checking the session attribute.
but in order to display a link for login or logout we are using the following code...

[/code]
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61457
    
  67

Why are you checking session.isNew()? There's no need for you to care.

  • When you log a user in, record a token in the session indicating so.
  • Upon logout, remove the token.
  • To check, see if the token exists. If not, a logout or session timeout has occured.


  • There's never a need to check the session itself.
    jinx riley
    Greenhorn

    Joined: Apr 27, 2011
    Posts: 5
    Bear Bibeault wrote:Why are you checking session.isNew()? There's no need for you to care.

  • When you log a user in, record a token in the session indicating so.
  • Upon logout, remove the token.
  • To check, see if the token exists. If not, a logout or session timeout has occured.


  • There's never a need to check the session itself.


    Ok...
    So you want to say that i should generate a session everytime a user visits the homepage.
    And add some attribute that can be checked for the whether the user is logged in or not.

    But is generating a session for every user that visits the website a good idea...and what if a user directly accesses another page other than the home page...?
    Bear Bibeault
    Author and ninkuma
    Marshal

    Joined: Jan 10, 2002
    Posts: 61457
        
      67

    jinx riley wrote:So you want to say that i should generate a session everytime a user visits the homepage.

    Absolutely not. How did you get that?

    What am I saying is that you shouldn't be dicking around with the session at all except to put, get and remove scoped variables from it.

    But is generating a session for every user that visits the website a good idea

    Huh? Each visitor will have a unique session. That's what a session is.

    jinx riley wrote:what if a user directly accesses another page other than the home page...?

    What about it? The session will be the same as long as the pages are all in the same web app.

    P.S. If your application makes a distinction between the home page and other pages with regards to security, it's doing it wrong.
    jinx riley
    Greenhorn

    Joined: Apr 27, 2011
    Posts: 5
    what i am doing is...right now i am generating a session for a user only when he is logged in..!!

    on the home page in order to check if a session exists i use the method request.getSession(false) so that a new session is not generated.

    Bear Bibeault
    Author and ninkuma
    Marshal

    Joined: Jan 10, 2002
    Posts: 61457
        
      67

    jinx riley wrote:what i am doing is...right now i am generating a session for a user only when he is logged in..!!

    I think that you are using the wrong terms, and that is make this confusing. You do not "generate a session", the servlet container does that.

    As I pointed out, the only activity you should be taking upon login is to record the logged-in status by placing a scoped variable into the session that is used to indicate this status.

    on the home page in order to check if a session exists i use the method request.getSession(false) so that a new session is not generated.


    Firstly, you should be doing nothing of this sort in the home page. Creating the token should take place in the login action, and checking for the token should take place in a servlet filter that operates orthogonally to any specific page or action.

    Stop thinking about creating and destroying sessions. Just leave them be. Concentrate instead on simply using the existing session to store state.
    Bear Bibeault
    Author and ninkuma
    Marshal

    Joined: Jan 10, 2002
    Posts: 61457
        
      67

    Oh, and if you are doing any Java code in the JSPs, well, just stop all that.
    jinx riley
    Greenhorn

    Joined: Apr 27, 2011
    Posts: 5
    ok bear....i understand your point now...

    i will use use some other logic to implement my requirement now....

    i am thinking of using a variable in the the user class to store the the status of the user which can be...

    1) user who has just visited the website but has not logged in yet..
    2) user who has logged in..
    3) user who has logged out now...
    Bear Bibeault
    Author and ninkuma
    Marshal

    Joined: Jan 10, 2002
    Posts: 61457
        
      67

    Why would you store such state in the user class?
    Paul Clapham
    Bartender

    Joined: Oct 14, 2005
    Posts: 18716
        
        8

    That sounds like a reasonable idea. But just to repeat Bear's point, you should then be storing an instance of that User class in the session. Then the login and logout processes would simply modify those variables you mentioned.
    Bear Bibeault
    Author and ninkuma
    Marshal

    Joined: Jan 10, 2002
    Posts: 61457
        
      67

    I'll respectfully disagree. Unless there's business logic that necessitates persisting these states, recording logged-in state in the user class is needless and fragile. The very presence of a user in the session is enough to indicate logged-in state, and its absence logged out state. Why redundantly record the states in the user?

    Redundant state == fragility as the states now need to be kept in synch.
     
    I agree. Here's the link: http://aspose.com/file-tools
     
    subject: request.getSession(false)