• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

request.getSession(false) not working

 
Ranch Hand
Posts: 92
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hey all,
Has anyone ever had any problems with request.getSession(false) in Tomcat 4.1.29 on Mac OS 10.3.3 with Struts? I'm using it and, unless I'm mistaken about the way it's supposed to behave, it is not doing what it should be. For example:

This above code SHOULD redirect to the login page if the session is no longer valid (it has timed out). Instead, it creates a NEW session, with a NEW sesion ID, new create time etc..... and continues on its merry way - all things it shoudn't do if I pass "false" to the method. Perhaps, I'm just being stupid about this.... please say I'm just being stupid about this....
Thanks.
--BW
 
Ranch Hand
Posts: 155
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
HttpSession session = request.getSession(false);
returns a null object if no session exist (session has expired).
So, calling logger.debug("SESSION ID: " + session.getId());
throws an exception.
if(session == null) {} is never reached when the session is null.
 
Brian R. Wainwright
Ranch Hand
Posts: 92
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

So, calling logger.debug("SESSION ID: " + session.getId());
throws an exception


It SHOULD throw an exception, but it never does. Instead getSession(false) creates a brand spanking new session and the null test fails as a result.
 
Brahim Bakayoko
Ranch Hand
Posts: 155
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In that case, a new session is being created passively by a jsp or actively by a servlet (check your code) <code your jsps to not create sessions).
 
Brian R. Wainwright
Ranch Hand
Posts: 92
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hmmmm... thanks for the reply Brahim... I think you may be on to something, but not in the way you're suggesting. If I load a jsp and let it sit idle beyond the specified session-timeout and then execute the action/servlet, I STILL get a new session - the jsp isn't involved in this case. However.... the form on the jsp is a Struts ActionForm with request scope that I suppose could be behaving badly when it gets submitted. It shouldn't care about the session though, so I don't know. My gut feeling is that Struts is the problem somehow since I've been able to duplicate the issue on Solaris with Tomcat 5.0.x - so it doesn't seem to be a servlet container implementation. Not to try and change the forum, but does anyone with familiarity with Struts happen to know if any of the Action classes (DispatchAction in this case) calls getSession()....? I'll take a look at the source code myself, but I wanna keep this thread going since the problems I'm having fly in the face of everything I know about HttpSessions.... Thanks!
 
Brahim Bakayoko
Ranch Hand
Posts: 155
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hum...
The issue is not with Struts.
Did you add "<%@page session='false' "%> to all involved JSPs?
Did you make sure that none of your servlets are calling req.getSession() or req.getSession(true)?
What you are experiencing is an effect of a poor design pattern.
If you want to control the creation and/or untimed destruction of sessions, do it in a single servlet and preferably a filter.
Everywhere else:
- add "<%@page session='false' "%> to all JSPs
- call on .getSession(false) when in servlets
- test for nullity on the session object
- dispatch where appropriate if null
Also, since you are debugging your application, you should think of calling on session.invalidate() rather than waiting for the session to time out for your testing. You could save some time.
 
Brian R. Wainwright
Ranch Hand
Posts: 92
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hey Brahim,
Thanks again for the reply.

Did you add "<%@page session='false' "%> to all involved JSPs?


I haven't because I need access to the session in most of my JSP's. I'm storing such things as the currently logged in user and other stuff. Setting that to false will preclude me from doing so will it not?
Besides, it still doesn't explain some of the odd behavior I cited above. If the browser is inactive beyond timeout and the ONLY subsequent user interaction is submitting a form that calls some servlet code that, before it does anything else, calls getSession(false), then it couldn't be the JSP that's creating the new session. Know what I mean? If all my navigation is controlled by a servlet (in my case Struts Actions) and the first thing that it does is check the validity of the session object (through getSession(false) and then a null check on the result) then it follows that the JSP never comes into it. The JSP's should be using the same session and, if they're loaded outside of servlet that implements the above code, then yeah, I'd expect a new session. But I don't expect a new session when in the other circumstance.
Here's some debug statements that may indicate what's going on..
On login at 16:46:53 a new session is created with a timeout of 60 seconds.

Then, ~3 minutes later at 16:50:14 - when the other session has timed out. A button is clicked that calls some code that has as its first statement session = request.getSession(false). The result of which is a new session.... or so it appears...

It doesn't make sense....
--BW
 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Have you tried using a session listener to figure out if it is your call that is creating the session or if something else is doing it before your code executes?
 
Brian R. Wainwright
Ranch Hand
Posts: 92
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Bear,
I haven't yet done that. I was hoping to avoid doing it - I guess out of sheer laziness - but at this point it's probably a good idea (actually, its a tight deadline and.. blah blah....). I'll keep ya'll posted.
 
Brian R. Wainwright
Ranch Hand
Posts: 92
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Guys,
So I implemented an HttpSessionListener and was able to determine that SOMETHING else is creating my sessions before I call getSession(false);
Just to see what happens the sessionCreated and sessionDestroyed methods just log the session ID and some text.

I suppose I'll have to take a look at my Struts config and see if there's some forwarding going on that could be creating a request prior to the action method being called. Does anyone have any other ideas?
--BW
 
reply
    Bookmark Topic Watch Topic
  • New Topic