session.getSession(true) does not create new sessionID after invalidation
-------------------------------------------------------------------------
Key: JBAS-4436
URL:
http://jira.jboss.com/jira/browse/JBAS-4436
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: Web (Tomcat) service
Affects Versions: JBossAS-4.0.3 SP1
Environment: JBoss 4.03SP1 running on java version 1.5.0_10, server is a standard
SuSE 10 linux
Reporter: Ludwig Adam
Assigned To: Remy Maucherat
It is not possible to generate new session IDs as expected and stated in the servlet
specification.
A call of HttpSession.invalidate() unbounds all objects attached to the session but does
not set the session to invalid.
Sample Code:
public class SessionTest extends HttpServlet {
protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse
httpServletResponse) throws ServletException, IOException {
HttpSession curSession=httpServletRequest.getSession();
String prevSession = curSession.getId();
curSession.invalidate(); // Should invalidate session
curSession= httpServletRequest.getSession(true); // Should return new valid
session, but returns old session instead
String newSession= curSession.getId();
boolean testCondition = prevSession.equals(newSession); // is true
}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira