Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

request.getSession(false) not returning null after calling session.invalidate()

Tags:

java

servlets

jakarta-ee

session-state

Shouldn't invalidating a session cause request.getSession(false) to return null? In my logout servlet I call 

session.invalidate();

and in my login status filter I call

request.getSession(false);

The call to getSession(false) never returns null but all attributes associated with the session object returned are null. I currently detect if a user is logged out by searching for null attributes but this doesn't seem right.

like image 203
Usman Mutawakil Avatar asked Jan 28 '13 07:01

Usman Mutawakil

People also ask

How do I invalidate a HTTP session?

HTTP sessions are invalidated by calling the invalidate method on the session object or by specifying a specific time interval using the MaxInactiveInterval property. Sessions that are invalidated explicitly by application code are invalidated immediately.

What is request getSession false?

request. getSession(false) will return current session if current session exists. If not, it will not create a new session.

What is request getSession?

getSession() returns the valid session object associated with the request, identified in the session cookie that is encapsulated in the request object. Calling the method with no arguments creates a session if one does not exist that is associated with the request.

How do you check session is invalidated or not in Java?

– Retrieve a session from “request. getSession(false);”, this function will return a session if existed , else a null value will return. – Later you can do a “null” checking with the session object, null means no existed session available.

2 Answers

I currently detect if a user is logged out by searching for null attributes

That's also the normal approach. To check if an user is logged in, you should surely not check if the servletcontainer has created the session or not. This does not represent the logged-in user at all.

On login, just put the user model object in the session scope without checking if the container has created the session for you. In other words, just use getSession() without boolean argument so that the container will autocreate if necessary, you need the session at this point anyway:

@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    String username = request.getParameter("username");
    String password = request.getParameter("password");
    User user = userService.find(username, password);

    if (user != null) {
        request.getSession().setAttribute("user", user);
        response.sendRedirect(request.getContextPath() + "/home");
    } else {
        request.setAttribute("message", "Unknown login. Please retry.");
        request.getRequestDispatcher("/WEB-INF/login.jsp").forward(request, response);
    }
}

On access filtering, just check if the session attribute representing the logged-in user is present, you only use getSession(false) here to avoid unnecessary session creation, otherwise for example searchbots would trigger session creation which is totally unnecessary:

@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;
    HttpSession session = request.getSession(false);
    User user = (session != null) ? (User) session.getAttribute("user") : null;
    String loginURL = request.getContextPath() + "/login"; 

    if (user == null && !request.getRequestURI().equals(loginURL)) {       
        response.sendRedirect(loginURL);
    } else {
        chain.doFilter(request, response);
    }
}

On logout, make sure that you send a redirect after invalidate, because the current session is still available in the response of a forward.

@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    request.getSession().invalidate();
    response.sendRedirect(request.getContextPath() + "/login");
}
like image 144
BalusC Avatar answered Nov 15 '22 19:11

BalusC

for every servlet or jsp you travel you should call

request.getSession(false);

except for you first page where you create the sessionby 

request.getSession(true);

if you dont call 

request.getSession(false);

then the session is not carried till that page so before you call

session.invalidate();

make sure you are continuing the session to that page by calling

request.getSession(false);
like image 42
Hussain Akhtar Wahid 'Ghouri' Avatar answered Nov 15 '22 17:11

Hussain Akhtar Wahid 'Ghouri'
Sign in to Comment

Related questions

Reducing memory consumption in Java [closed]
CipherInputStream only read 16 bytes (AES/Java)
When to create a custom Classloaders? [closed]
Create folder if it does not exist in the Google Drive
How to override hibernate collection join column?
Google Drive Unresolved Imports
Learning java, cannot find symbol
Can I set the logging level within a Java method using log4j?
JPQL and Join Table
What is the difference between declaring List<Integer> vs ArrayList<Integer>?
Java Map sort by value
HttpMediaTypeNotAcceptableException after upgrading to Spring 3.2
Why don't some xhdpi mobiles display image located in /res/drawable only?
Error while using Attach Api
ThreadLocal HashMap vs ConcurrentHashMap for thread-safe unbound caches
How to integrate Spring Security and Struts2
Programming with Core JAVA - Reflection API [duplicate]
Convert private key in PEM format
Semaphores and Threadpools in Java
Printing unique object identity for debugging purposes in Java

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!