2 Replies Latest reply on Jan 10, 2013 6:21 AM by Peter Probst

    How to correctly invalidate httpSession?

    Peter Probst Newbie



      after invalidating the httpSession on the server the client throw the following error:

      [errai] activated CDI eventing subsystem. 864461B90518C25905AB49B41ABBBE83.cache.html:1934

      [errai] http session has expired. resetting bus and attempting reconnection. 864461B90518C25905AB49B41ABBBE83.cache.html:1934

      [errai] wait for: org.jboss.errai.bus.client.framework.ClientMessageBus 864461B90518C25905AB49B41ABBBE83.cache.html:1934

      receiver 'ClientBus' threw an exception -- Additional Details: <table><thead style='font-weight:bold;'><tr><td>Field</td><td>Value</td></tr></thead><tbody><tr><td>ToSubject</td><td>ClientBus</td></tr><tr><td>CommandType</td><td>SessionExpired</td></tr></tbody></table>


      After the error the client is not responding. I've tried to invalidate only the httpSession and also to invalidate the errai session before. Both ends up in the above error.


      Here is the code with invalidating errai and http session, which is called in an errai rpc call or in a timer thread:

          ServletRequest request = RpcContext.getServletRequest();
          QueueSession session = ErraiSessionUtil.getQueueSessionFromHttpRequest((HttpServletRequest) request);
          if (session.endSession()) {
              HttpSession httpSession = RpcContext.getHttpSession();


      Which is the correct way to invalidate the http session?

      Thanks, Peter

        • 1. Re: How to correctly invalidate httpSession?
          Jonathan Fuerth Master

          Hi Peter,


          May I ask what you're doing at a higher level that makes you want to invalidate the session?


          In my experience, I've always found the HttpSession.invalidate() call to be more trouble than it's worth. Generally when I want to mark a session as "logged in" I will insert a User attribute into it:


              session.setAttribute("user", authenticatedUser);


          and when the user logs out, I'll remove that object:




          Could this work in your situation, or are your needs different?



          • 2. Re: How to correctly invalidate httpSession?
            Peter Probst Newbie

            Hello Jonathan,


            thanks for the quick response. We have decided to use a logical session management similar to what you have described above. So we do not use the session.invalidate() anymore.