[jboss-jira] [JBoss JIRA] Updated: (JBAS-4436) session.getSession(true) does not create new sessionID after invalidation
Ludwig Adam (JIRA)
jira-events at lists.jboss.org
Tue May 22 15:28:52 EDT 2007
[ http://jira.jboss.com/jira/browse/JBAS-4436?page=all ]
Ludwig Adam updated JBAS-4436:
------------------------------
Description:
It is not possible to generate new session IDs as expected and stated in the servlet specification.
A call of HttpSession.invalidate() unbounds all objects attached to the session but does not set the session to invalid.
Sample Code:
public class SessionTest extends HttpServlet {
protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
HttpSession curSession=httpServletRequest.getSession();
String prevSession = curSession.getId();
curSession.invalidate(); // Should invalidate session
curSession= httpServletRequest.getSession(true); // Should return new valid session, but returns old session instead
String newSession= curSession.getId();
boolean testCondition = prevSession.equals(newSession); // is true
}
}
EDIT: I am not sure if this affects versions higher than 4.03 as well
was:
It is not possible to generate new session IDs as expected and stated in the servlet specification.
A call of HttpSession.invalidate() unbounds all objects attached to the session but does not set the session to invalid.
Sample Code:
public class SessionTest extends HttpServlet {
protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
HttpSession curSession=httpServletRequest.getSession();
String prevSession = curSession.getId();
curSession.invalidate(); // Should invalidate session
curSession= httpServletRequest.getSession(true); // Should return new valid session, but returns old session instead
String newSession= curSession.getId();
boolean testCondition = prevSession.equals(newSession); // is true
}
}
> session.getSession(true) does not create new sessionID after invalidation
> -------------------------------------------------------------------------
>
> Key: JBAS-4436
> URL: http://jira.jboss.com/jira/browse/JBAS-4436
> Project: JBoss Application Server
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Web (Tomcat) service
> Affects Versions: JBossAS-4.0.3 SP1
> Environment: JBoss 4.03SP1 running on java version 1.5.0_10, server is a standard SuSE 10 linux
> Reporter: Ludwig Adam
> Assigned To: Remy Maucherat
>
> It is not possible to generate new session IDs as expected and stated in the servlet specification.
> A call of HttpSession.invalidate() unbounds all objects attached to the session but does not set the session to invalid.
> Sample Code:
>
>
> public class SessionTest extends HttpServlet {
> protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
> HttpSession curSession=httpServletRequest.getSession();
> String prevSession = curSession.getId();
> curSession.invalidate(); // Should invalidate session
> curSession= httpServletRequest.getSession(true); // Should return new valid session, but returns old session instead
> String newSession= curSession.getId();
> boolean testCondition = prevSession.equals(newSession); // is true
> }
> }
> EDIT: I am not sure if this affects versions higher than 4.03 as well
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list