Session is not invalidated

Hi guys! I have the following code...

import java.io.IOException; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; public class LogoffController extends HttpServlet { public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { HttpSession session = request.getSession(); session.invalidate(); String redirectUrl = request.getParameter("url") == null ? "" : request.getParameter("url"); response.sendRedirect(redirectUrl); } public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { doPost(request, response); } }


Now, this logoff servlet is called from another application. Basically, app1 has its own session and so is app2.

When a user clicks logoff in app1, app1 makes a call to app2's logoff servlet. Howeve, it seems that only app1's session is destroyed and not app2. It should be both. What could be the problem here? Thanks!

Sessions are not cross context.
You will need to explicitly invalidate the session in each context.

Yes, that is why I made a redirect from app1 to app2's logoff servlet. Let's say app1 has its own servlet to invalidate its session, and app2 also has that also. What happens is this:

app1's loggoff buttons is clicked
app1's logoff servlet executes and invalidates its session
app1's logoff servlet redirect to app2's logoff servlet
app2's logoff servlet executes and redirect to some other page/site


or is this totally impossible? Thanks!

Yes, that is why I made a redirect from app1 to app2's logoff servlet. Let's say app1 has its own servlet to invalidate its session, and app2 also has that also. What happens is this:

app1's loggoff buttons is clicked
app1's logoff servlet executes and invalidates its session
app1's logoff servlet redirect to app2's logoff servlet
app2's logoff servlet executes and redirect to some other page/site


or is this totally impossible? app2 BTW is in an iFrame. Thanks!

Hi,
Please correct me if i am wrong. When you are clicking on LogOff from App1, it's passing the request to App2. Now, the Servlet class, that you have texted here, is the one used by App2. Alright...Now, in the servlet you are creating Session, from the request, which is coming from App1. Hence, it will create a session of App1's. Session.invalidate(), clears of everything from App1's session.
I don't think, you can pass the request from App1 to App2, to close the Session of App2;'cauz App1's session doesn't necessarily maintain App2's session, unless it's kind of single sign-on or, common Header space for both the Apps.
Let's see it with an example; Let's say, App1 is a portal, where you log in. That creates a session in App1. From App1, you have got a link to go to App2, which is taking some user info from App1 header & starts it's own session. Now, if you log-off from App2, that doesn't mean, you are invalidating the session of App1 also.
I hope, you are clear with what point I am trying to drive straight home.

Subhadip Chatterjee

Thanks! You actually got it clear and I get your point. Hmmm... What could be a possible workaround? I'm thinking of just passing everything from request to request instead of session but it seems very insecure. App2 had to be a separate one since App1 is an app from our client and they happen to be just outsourcing App2 to us.

Hi Sam,
It's good to hear that you understood my example. I am also gonna work on this to find a solution for you, as well. But passing request (RequestDispatcher) only works in individual Servlet Contexts, it's not a cross-context stuff. So, we both have to do a little thinking over that.If you come up, with something, post that for folks sake, 'cauz that will be really helpful.