Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

request.getSession(false) not returning null after calling session.invalidate()

Shouldn't invalidating a session cause request.getSession(false) to return null? In my logout servlet I call

session.invalidate();

and in my login status filter I call

request.getSession(false);

The call to getSession(false) never returns null but all attributes associated with the session object returned are null. I currently detect if a user is logged out by searching for null attributes but this doesn't seem right.

like image 203
Usman Mutawakil Avatar asked Jan 28 '13 07:01

Usman Mutawakil


People also ask

How do I invalidate a HTTP session?

HTTP sessions are invalidated by calling the invalidate method on the session object or by specifying a specific time interval using the MaxInactiveInterval property. Sessions that are invalidated explicitly by application code are invalidated immediately.

What is request getSession false?

request. getSession(false) will return current session if current session exists. If not, it will not create a new session.

What is request getSession?

getSession() returns the valid session object associated with the request, identified in the session cookie that is encapsulated in the request object. Calling the method with no arguments creates a session if one does not exist that is associated with the request.

How do you check session is invalidated or not in Java?

– Retrieve a session from “request. getSession(false);”, this function will return a session if existed , else a null value will return. – Later you can do a “null” checking with the session object, null means no existed session available.


2 Answers

I currently detect if a user is logged out by searching for null attributes

That's also the normal approach. To check if an user is logged in, you should surely not check if the servletcontainer has created the session or not. This does not represent the logged-in user at all.

On login, just put the user model object in the session scope without checking if the container has created the session for you. In other words, just use getSession() without boolean argument so that the container will autocreate if necessary, you need the session at this point anyway:

@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    String username = request.getParameter("username");
    String password = request.getParameter("password");
    User user = userService.find(username, password);

    if (user != null) {
        request.getSession().setAttribute("user", user);
        response.sendRedirect(request.getContextPath() + "/home");
    } else {
        request.setAttribute("message", "Unknown login. Please retry.");
        request.getRequestDispatcher("/WEB-INF/login.jsp").forward(request, response);
    }
}

On access filtering, just check if the session attribute representing the logged-in user is present, you only use getSession(false) here to avoid unnecessary session creation, otherwise for example searchbots would trigger session creation which is totally unnecessary:

@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;
    HttpSession session = request.getSession(false);
    User user = (session != null) ? (User) session.getAttribute("user") : null;
    String loginURL = request.getContextPath() + "/login"; 

    if (user == null && !request.getRequestURI().equals(loginURL)) {       
        response.sendRedirect(loginURL);
    } else {
        chain.doFilter(request, response);
    }
}

On logout, make sure that you send a redirect after invalidate, because the current session is still available in the response of a forward.

@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    request.getSession().invalidate();
    response.sendRedirect(request.getContextPath() + "/login");
}
like image 144
BalusC Avatar answered Nov 15 '22 19:11

BalusC


for every servlet or jsp you travel you should call

request.getSession(false);

except for you first page where you create the sessionby

request.getSession(true);

if you dont call

request.getSession(false);

then the session is not carried till that page so before you call

session.invalidate();

make sure you are continuing the session to that page by calling

request.getSession(false);
like image 42
Hussain Akhtar Wahid 'Ghouri' Avatar answered Nov 15 '22 17:11

Hussain Akhtar Wahid 'Ghouri'