Probably not a good idea. If you can shed some light on why you feel you need to do this in a JSP we might be able to help you figure out a better alternative solution. But without more details we can only say, probably not a good idea to do this.
I was working on some sample application with a login page and some other dummy page. After submitting the form to servlet, the servlet authenticates the user and redirects to some other page. Simple flow.
I'm checking for session in my servlet, if it does not exist, I'm creating one and adding the userid as an attribute to the session.
Above code is just a template, I have not put much of processing in this. When the user logs in first, I'm expecting the session to be null and the session needs to be created for the first time..
But may be because of the jsp, the session is implicitly created, even before it reaches the session, which I wanted to avoid. So I thought of invalidating the session in the jsp as below before submitting the form
I was able to achieve what I wanted with this code (Not having session for the first time), but I was not sure, if that is the right approach. I agree that invalidating session in view is not recommended, but how can my task be achieved in other way.
You should stop worrying about this at the session level. Put an object in the session after validation and check for it rather than the session. To log out, remove the object. Don't bother invalidating the session.
Bear Bibeault wrote:You should stop worrying about this at the session level. Put an object in the session after validation and check for it rather than the session. To log out, remove the object. Don't bother invalidating the session.
I think, I did not really follow your suggestion. Would you mind elaborating it more. Are you saying that instead of invalidating the session, after the user is authenticated, the user is added to session (or some other object into session) and check for the presence of this object in session to see if session is still active or not. I think, for this I need to set the session time out in web.xml.
"To log out, remove the object.". I did not follow how the user would be logged out, if we remove the object from session. Removing the object, would not kill the session. Please correct me.
Thanks Bear, but please bear with me and help me understand this concept.
"To log out, remove the object. Don't bother invalidating the session." Please confirm, the object removal process. Did you mean, this to be achieved by session time out in web.xml Or Did you mean calling "removeAttribute" on session. But when do we call this?