If the spec mandates the session scope to be >= request scope then if
you logout during a request you would keep incorrect session.
If you do:
request {
filter {
playWithSession();
logout();
}
auditSession();
}
Then your audit will still be bound to the user before the logout but
actually it is no more accurate. Can be ok in some cases but can be an
issue in some others. Also in this case destroy event will have a
session which can have been garbaged/destoyed by the container and
potentially (if pooled) reaffected to another request.
If you take the login case it is the opposite and here if you use
sessionId in your logic you can have troubles as well since it is very
recommanded (sometimes forced by the container) to change the
sessionId when a user is logged.
Romain Manni-Bucau
@rmannibucau
Ok so let's move back to cdi-dev list too.:) Can you please elaborate bit more why do
you think it's not consistent?
Thank's
Tom
----- Original Message -----
From: "Romain Manni-Bucau" <rmannibucau(a)gmail.com>
To: "Tomas Remes" <tremes(a)redhat.com>
Cc: cdi-tck(a)lists.jboss.org
Sent: Monday, December 29, 2014 11:08:49 AM
Subject: Re: [cdi-dev] session destroyed event
Hi
sorry to have used the wrong list.
Issue is then scope is not consistent (think to login/logout mecanism
for instance).
Romain Manni-Bucau
@rmannibucau
http://www.tomitribe.com
http://rmannibucau.wordpress.com
https://github.com/rmannibucau
2014-12-29 11:02 GMT+01:00 Tomas Remes <tremes(a)redhat.com>:
>
> Hi,
>
> I think the destroy event is triggered at the end of the request and not immediately
if I understand correctly. The spec states:
>
> "The session context is destroyed when the HTTPSession times out, after all
> HttpSessionListener s have been called, and at the very end of any request in which
> invalidate() was called, after all filters and ServletRequestListener s have been
called."
>
> Please let's move TCK related topics to cdi-tck mailing list.
>
> Thank's
> Tom
>
> ----- Original Message -----
> From: "Romain Manni-Bucau" <rmannibucau(a)gmail.com>
> To: cdi-dev(a)lists.jboss.org
> Sent: Tuesday, December 23, 2014 8:58:16 PM
> Subject: [cdi-dev] session destroyed event
>
> Hi
>
> why org.jboss.cdi.tck.tests.context.session.event.Servlet#doGet ensures
>
> destroyed == observer.getDestroyedSessionCount().get()
>
> For me invalidate call should trigger the destroy event: you can
> create N session in a single requests
>
>
> Romain Manni-Bucau
> @rmannibucau
>
http://www.tomitribe.com
>
http://rmannibucau.wordpress.com
>
https://github.com/rmannibucau
> _______________________________________________
> cdi-dev mailing list
> cdi-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/cdi-dev
>
> Note that for all code provided on this list, the provider licenses the code under
the Apache License, Version 2 (
http://www.apache.org/licenses/LICENSE-2.0.html). For all
other ideas provided on this list, the provider waives all patent and other intellectual
property rights inherent in such information.
>
>
--
Tomas Remes