• Post Reply Bookmark Topic Watch Topic
  • New Topic

How to invalidate HTTPSession on logout  RSS feed

 
Jessie Smith
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

See code below. getSession(false) returns a session, but getAttribute returns null. The session has already been invalidated (basically because this method gets called twice in the situation I'm testing). The error that I'm dealing with is that the username attribute is null. Is it more correct to call isRequestedSessionIdValid() before trying to get the username attribute and invalidating the session, or is it better to just add a null check?

Here's my code:


For example, should I change my code to:


or, should I just do:

 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66157
146
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
First of all, invalidating the session is a poor way to perform a logout. Rather, the presence of a username in the session indicates that the user is logged in, right? So just remove the username from the session to logout.

Invalidating the whole session is a commonly-made overstep.

Secondly, you say that the invalidation's happening twice? Why?
 
Jessie Smith
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the response.  It's good to know that invalidating the session is overkill. 

The logout method is called twice under two different scenarios.  I'm sure that that is a bigger issue that needs to be fixed.  Since I just started at this job I'm at, I don't know all the in's and out's of how everything works and why things have been done the way that they have.  The first way that I've seen (or forced) the logout to happen twice is when the application times out.  It calls it once, but if the call to 'logout' times out, the application tries to call 'logout' again.  The other way I've seen it happen is when I open two browser instances and log in to the application as the same user, and allow the application to timeout for both sessions, the 'logout' method invalidates the first session fine, but when it gets into the 'logout' method the second time, the session doesn't have the attributes.  In that situation it seems like my two logins are using the same session?  Which doesn't make sense to me, but that's the only way I can explain it.
 
Consider Paul's rocket mass heater.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!