• Post Reply Bookmark Topic Watch Topic
  • New Topic

How to invalidate a user session, when I only have a session ID?  RSS feed

 
Jerry Lee
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How to invalidate a user session, when I only have a session ID?

Here are some more info:

1) I have a servlet called LogoutServlet.java that programmatically invalidates user HttpSession.
2) I do a Single Sign On to a third party web application, i.e. ssoWeb. I tell him my sessionID. After a while, ssoWeb invokes my LogoutServlet and passed me back the sessionID.

Now I want to invalidate that session, how do I do it?

I noticed HttpSessionContext has a method getSession(String sessionId). However, I don't want to use it, since it is deprecated.

Thank you.
 
Purushoth Thambu
Ranch Hand
Posts: 425
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You have to use JMX to get the list of session and call the invaidate() method on that session. JMX MBeans vary across servers. In WebLogic you have WebAppComponentRuntimeMBean which has an API to access Servlet session(s) and ServletSessionMBean to controll the session. You may have to consult your web app server JMX doc.
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
With a session listener, you could put a reference to each session in a map when it's created. Use the sessionID as it's key.
When the session is invalidated, be sure to pull it from the map.
Bind the map to application scope.

I have some sample code that does similar things for session tracking.
http://simple.souther.us/not-so-simple.html
Look for Session Monitor.
[ September 22, 2006: Message edited by: Ben Souther ]
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!