[cdi-dev] session destroyed event
rmannibucau at gmail.com
Fri Jan 2 03:46:05 EST 2015
If the spec mandates the session scope to be >= request scope then if
you logout during a request you would keep incorrect session.
If you do:
Then your audit will still be bound to the user before the logout but
actually it is no more accurate. Can be ok in some cases but can be an
issue in some others. Also in this case destroy event will have a
session which can have been garbaged/destoyed by the container and
potentially (if pooled) reaffected to another request.
If you take the login case it is the opposite and here if you use
sessionId in your logic you can have troubles as well since it is very
recommanded (sometimes forced by the container) to change the
sessionId when a user is logged.
2015-01-02 8:54 GMT+01:00 Tomas Remes <tremes at redhat.com>:
> Ok so let's move back to cdi-dev list too.:) Can you please elaborate bit more why do you think it's not consistent?
> ----- Original Message -----
> From: "Romain Manni-Bucau" <rmannibucau at gmail.com>
> To: "Tomas Remes" <tremes at redhat.com>
> Cc: cdi-tck at lists.jboss.org
> Sent: Monday, December 29, 2014 11:08:49 AM
> Subject: Re: [cdi-dev] session destroyed event
> sorry to have used the wrong list.
> Issue is then scope is not consistent (think to login/logout mecanism
> for instance).
> Romain Manni-Bucau
> 2014-12-29 11:02 GMT+01:00 Tomas Remes <tremes at redhat.com>:
>> I think the destroy event is triggered at the end of the request and not immediately if I understand correctly. The spec states:
>> "The session context is destroyed when the HTTPSession times out, after all
>> HttpSessionListener s have been called, and at the very end of any request in which
>> invalidate() was called, after all filters and ServletRequestListener s have been called."
>> Please let's move TCK related topics to cdi-tck mailing list.
>> ----- Original Message -----
>> From: "Romain Manni-Bucau" <rmannibucau at gmail.com>
>> To: cdi-dev at lists.jboss.org
>> Sent: Tuesday, December 23, 2014 8:58:16 PM
>> Subject: [cdi-dev] session destroyed event
>> why org.jboss.cdi.tck.tests.context.session.event.Servlet#doGet ensures
>> destroyed == observer.getDestroyedSessionCount().get()
>> For me invalidate call should trigger the destroy event: you can
>> create N session in a single requests
>> Romain Manni-Bucau
>> cdi-dev mailing list
>> cdi-dev at lists.jboss.org
>> Note that for all code provided on this list, the provider licenses the code under the Apache License, Version 2 (http://www.apache.org/licenses/LICENSE-2.0.html). For all other ideas provided on this list, the provider waives all patent and other intellectual property rights inherent in such information.
> Tomas Remes
More information about the cdi-dev