• Post Reply Bookmark Topic Watch Topic
  • New Topic

Invalidating all sessions  RSS feed

 
sridhar lakka
Ranch Hand
Posts: 109
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,
Thanks in advance.
In my application we have to invalidate all the sessions at a particular time.And we are using Quartz schedualr which will calls a class which is implementing Job.In this class I have Servlet Context object also. Using this I want to invalidate all the active sessions.I have idea like by using HttpSessionListener we can do.But after creating a class of HttpSessionListener, what should I do.And the class which is executing on aprticular time is a normal Java class.
Please give me the idea if possible with example.

Regards,
Sree
 
Remko Strating
Ranch Hand
Posts: 893
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

All valid sessions are grouped together in a HttpSessionContext object. Theoretically, a server may have multiple session contexts, although in practice most have just one. A reference to the server's HttpSessionContext is available via any session object's getSessionContext() method:

public HttpSessionContext HttpSession.getSessionContext()

This method returns the context in which the session is bound. It throws an IllegalStateException if the session is invalid.

Once you have an HttpSessionContext, it's possible to use it to examine all the currently valid sessions with the following two methods:

public Enumeration HttpSessionContext.getIds()
public HttpSession HttpSessionContext.getSession(String sessionId)

The getIds() method returns an Enumeration that contains the session IDs for all the currently valid sessions in this context or an empty Enumeration if there are no valid sessions. getSession() returns the session associated with the given session ID. The session IDs returned by getIds() should be held as a server secret because any client with knowledge of another client's session ID can, with a forged cookie or URL, join the second client's session.



I think this lines will be helpful


http://www.unix.org.ua/orelly/java-ent/servlet/ch07_05.htm


I found your question where interesting so I will also write a method for invaliding session.
 
sridhar lakka
Ranch Hand
Posts: 109
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Remko,
Thanks a lot , yes really these words will helps me.
But, after getting session id's how can i invalidate those sessions and I am using a normal class which is not a servlet.
Please help me with some example code.

Regards,
Sree
 
sridhar lakka
Ranch Hand
Posts: 109
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Remko,
One more thing these SessionContext method and classes are depricated and there is no replacement.
then how?

Interface HttpSessionContext
Deprecated. As of Java(tm) Servlet API 2.1 for security reasons, with no replacement. This interface will be removed in a future version of this API.

Regards,
Sree
 
Amol Nayak
Ranch Hand
Posts: 218
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
By registering a HttpSessionListener you can get the notification of the new session creation, You can get the HttpSession object from the HttpSessionEvent
add it to a map bound as an attribute in ServletContext in sessionCreated method, and remove it from the map in sessionDestroyed method.
When even you want to invalidate the sessions get the list of values in the map from ServletContext, iterate through it and invalidate one by one, clear the list.

This is one of the way, i am sure there can be some better way as well.

I am waiting for other posts see a better solution.
 
sridhar lakka
Ranch Hand
Posts: 109
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Amol,
Thanks for your reply.
I got the same idea earlier but could you please tell me why we should use Map here and how we can remove in sessionDestroyed() method.Please give some example code.

Regards,
Sree
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This sounds like a very bizarre requirement.
Out of curiosity, why do you want to do this?

Amol's technique is exactly what I would do.
It's what I have done in the "Session Monitor" example on my site, http://simple.souther.us/not-so-simple.html

A map is a good way to keep track of objects by key. In my example, I used the sessionId as the key.
 
Amol Nayak
Ranch Hand
Posts: 218
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
See, a reference to all the HttpSession objects is needed to invalidate all the sessions. By keeping those in a Map with session id as the key we are easily able to remove those when the use explicitly invalidated the session or the session times out, in that case sessionDestroyed will be called where we can remove this HttpSession object from the Map.
When ever your class which invalidates all the sessions is invoked you can get the map bound to the context and get the List of values from the map, iterate and invalidate them one by one.




The only concern is this approach won work if the application is distributed
and your application is not the default application.
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In this particular case, a HashMap might not be the best structure to use.

Unlike HashTable, the methods of HashMap are not synchronized.
This could present a problem when you iterate through the map and call invalidate on each session.
When you invalidate the session, the listener is going to try to remove it from the map while you're still iterating through it. For that reason, you might want to use a HashTable or ConcurrentHashMap OR.. iterate through the map and put the session references into a list, then iterate through the list to call invalidate on each of them.
 
Amol Nayak
Ranch Hand
Posts: 218
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hmmm... thats right, never thought of it..
 
Remko Strating
Ranch Hand
Posts: 893
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I was the whole day away.

It's a shame that the methods are depreciated.

In my application I now log all the session id's into a database. But I don't have any method for sending a message to session. As I want to shutdown the server for updating, etc. This sounds for me very strange and I was happy that I found the methods.
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Remko Strating:

It's a shame that the methods are depreciated.

In my application I now log all the session id's into a database. But I don't have any method for sending a message to session. As I want to shutdown the server for updating, etc. This sounds for me very strange and I was happy that I found the methods.


It's not a shame because new methods in the servlet spec still make this possible.

If you bind all of your sessions to a map and then bind that map to context scope, you can certainly iterate through them and add or remove attributes.

I don't want this to hi-jack the original poster's thread with a discussion of some deprecated methods but you're certainly welcome to start a new thread if there is some part of this that you don't understand.
 
sridhar lakka
Ranch Hand
Posts: 109
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,
Thanks a lot for your great suggestions.
I have implemented using Hashtable but only first session is invalidating and for others it is throwing an exception as follows,

The following exception was logged java.util.ConcurrentModificationException
at java.util.Hashtable$Enumerator.next(Hashtable.java:976)
at com.cummins.advisor.schedular.SchedualrImpl.removeAllSessions(SchedualrImpl.java:80)
at com.cummins.advisor.schedular.SchedualrImpl.execute(SchedualrImpl.java:69)
at org.quartz.core.JobRunShell.run(JobRunShell.java:203)

I have opened multiple browsers with same user name, faced this problem

Please help me.

Regards,
Sree
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I suspected that would happen.

You're trying to remove sessions from the table/map while you're still iterating over them.

Try my other approach.
Instanciate a list.
Loop through your table of session and put the sessions in the list.
Then loop through the list and call invalidate on each of the sessions.

Make sure the list is a local variable.
You don't want to accidentally keep references to the invalidated sessions around when you're done.
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!