3 Replies Latest reply on Dec 23, 2009 3:11 AM by isto.nikula

    Session in JBOSS and response.sendredirect()

    thirstquench Sep 29, 2009 7:00 PM

      I've written a small JAVA web application to test how session behaves in JBOSS (I have deployed my application in JBOSS AS). I noticed that as long as I don't close the window through which I started my application, the session ID always remains same no matter how many time I access the application through the same window. Even if I say session.invalidate(); it is still able to display the same session Id. Can somebody explain why session Id remains same.

      Also, I want to know how response.sendredirect() behaves in JBOSS. Technically, the session shold be lost if one uses response.sendredirect() but since the response.sendredirect() opens the page in the same window the session Id (as mentioned above) remains the same. Please explain.

      • 3523 Views
      • Tags:
        • 1. Re: Session in JBOSS and response.sendredirect()
          jaikiran
          jaikiran Sep 30, 2009 3:18 AM (in response to thirstquench)

           

          "thirstquench" wrote:
          Even if I say session.invalidate(); it is still able to display the same session Id.


          How are you getting hold of the session id after invalidating the session? Can you post the relevant code? Also which exact version of JBoss AS?

            • Actions
          • 2. Re: Session in JBOSS and response.sendredirect()
            thirstquench Sep 30, 2009 6:00 PM (in response to thirstquench)

            I am using JBOSS AS version # 4.0.3

            here is what I did:

            <%
            session.invalidate();

            String name1 = (String) request.getParameter("dropDown");
            String myName1 = (String) request.getAttribute("myName");

            %>


            alert("session id is <%=session.getId()%>");
            alert("name1 & myName1 is <%=name1%> , <%=myName1%>");


            I'm able to see the values of the session Id and name1 and myName1!

              • Actions
            • 3. Re: Session in JBOSS and response.sendredirect()
              isto.nikula Dec 23, 2009 3:11 AM (in response to thirstquench)

              Is there any news to this, I am experiencing the same issue: even if the session is invalidated and a new session is created the session id stays the same as long as the same browser is used.

               

              I run into this while trying to fix the "Portal session expiration should invalidate portlet webapps sessions" (https://jira.jboss.org/jira/browse/JBPORTAL-2030) by applying http://fisheye.jboss.org/changelog/Portal/?cs=11742 on JBoss Portal 2.6.2GA. I added session id logging to the SessionListener's sessionCreated and sessionDestroyed methods and when the portal session for user1 expires the following happens:

              • the SessionListener reports that session with ID1 has expired
              • when requesting protected page, JAAS kicks in redirecting me to my login page (I'm using FORM authentication), the SessionListener reports that a session with the same id as previously destroyed session is created
              • after successful login the page requested by user1 is displayed, also when the login is made by a different user

               

              Why is the session id kept the same (is that normal or not)?

              Is maintaining the redirection url even if the user changes considered normal?

               


                • Actions