[prev in list] [next in list] [prev in thread] [next in thread] 

List:       turbine-user
Subject:    Re: session.invalidate not working
From:       Tony Oslund <tonyo () prepare-enrich ! com>
Date:       2012-07-18 20:30:45
Message-ID: 50071CF5.9040509 () prepare-enrich ! com
[Download RAW message or body]


I looked through some of my code and came across the following...

             // invalidate the old session
             data.getRequest().getSession().invalidate();

             // use the sessionid from a newly created session
             sessionId = data.getSession().getId();


In another instance I am also using a slightly different variation

             try {

                         if (data.getResponse().isCommitted() == false) {
                             data.getResponse().sendRedirect(destination);
                         }

                         // invalidate this session since we are not 
going to use it anyways
                         data.getRequest().getSession().invalidate();

                         return false;

                     } catch (IOException ex) {}

I have not had problems with either of these

However, I am currently running Tomcat 6.0...

Thinking years back... one thing I did run into with this had to do with 
my setup in tomcat....


Within conf/server.xml (on my dev server) I use

<Context path="/webapp" docBase="webapp"  crossContext="true">

Within WEB-INF/web.xml I use

<servlet>
<servlet-name>
            webapp
</servlet-name>
<servlet-class>
             org.apache.turbine.Turbine
</servlet-class>

...

</servlet>

<servlet-mapping>
<servlet-name>
             webapp
</servlet-name>
<url-pattern>
             /something/*
</url-pattern>
</servlet-mapping>




On 7/18/2012 12:58 PM, Asha N wrote:
> Hello,
>
> We are using Turbine with Velocity, Javascript and Java and Tomcat 7 as our
> server. I have a use case where the session needs to be invalidated after a
> user logs in. The things that I tried are:
> * Tomcat7 by default has it turned on, but it does not work. We have another
> system with Spring instead. That generates a new jsessionid without any
> issues.
> * I tried the following code just before the user gets authenticated via:
> TurbineSecurity.getAuthenticatedUser(username, password);
> my code:
>               HttpSession session = data.getRequest().getSession(false);
> 		if (session!=null&&  !session.isNew()) {
> 		    session.invalidate();
> 		}
> 			
> 		data.getRequest().getSession(true);
>
> this does not work. I still get the same sessionid.
> I also tried:
>
> data.getSession().invalidate(), but that too does not seem to work.
>
> Any pointers or inputs are greatly appreciated.
>
> thanks in advance,
>
> Asha
> 		

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@turbine.apache.org
For additional commands, e-mail: user-help@turbine.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]