[jboss-jira] [JBoss JIRA] Created: (JBAS-4436) session.getSession(true) does not create new sessionID after invalidation
Ludwig Adam (JIRA)
jira-events at lists.jboss.org
Tue May 22 09:30:52 EDT 2007
session.getSession(true) does not create new sessionID after invalidation
-------------------------------------------------------------------------
Key: JBAS-4436
URL: http://jira.jboss.com/jira/browse/JBAS-4436
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: Web (Tomcat) service
Affects Versions: JBossAS-4.0.3 SP1
Environment: JBoss 4.03SP1 running on java version 1.5.0_10, server is a standard SuSE 10 linux
Reporter: Ludwig Adam
Assigned To: Remy Maucherat
It is not possible to generate new session IDs as expected and stated in the servlet specification.
A call of HttpSession.invalidate() unbounds all objects attached to the session but does not set the session to invalid.
Sample Code:
public class SessionTest extends HttpServlet {
protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
HttpSession curSession=httpServletRequest.getSession();
String prevSession = curSession.getId();
curSession.invalidate(); // Should invalidate session
curSession= httpServletRequest.getSession(true); // Should return new valid session, but returns old session instead
String newSession= curSession.getId();
boolean testCondition = prevSession.equals(newSession); // is true
}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list