Re: [jetty-users] Session invalidation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] Session invalidation

From: Jan Bartel <janb@xxxxxxxxxxx>
Date: Sat, 27 Feb 2021 14:20:26 +0100
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-users/>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

Difficult to tell you what is happening with so little information ;) What version of jetty? What configuration of the session management: SessionCache, SessionStore, SessionIdManager?

Does your webapp involve forwarding between contexts? Does your webapp have any filters or 3rd party libraries that might create a session?

Have you used a tool like Chrome's developer panel that shows you the http dialog going on between the tabs and the server? Or tcpdump/wireshark etc etc?

Have you turned on DEBUG level logging for org.eclipse.jetty.server.session?

How does SessionState get set onto the Session? Is it via a HttpSessionListener? If so, Request.getSession() will create a new Session if one does not exist, and the listener could set the SessionState on it.

Jan

On Fri, 26 Feb 2021 at 13:14, John English <john.foreign@xxxxxxxxx> wrote:

I have a webapp requiring a user to log in before doing anything else.
State information is stored in an object in a session attribute called
"state". When I log out I do the following:

HttpSession session = request.getSession();
if (session != null) {
session.removeAttribute("state");
try {
session.invalidate();
}
catch (IllegalStateException e) { }
}

I go to the webapp and log in, then open another tab for the same webapp
and log out, executing the code above. I then go back to the first tab
and click a button which sends a POST request to a servlet that starts
off like this:

HttpSession session = request.getSession();
SessionState state = (session != null ?
(SessionState)session.getAttribute("state") : null);

The session and the state are both valid objects after these two lines.

Can anyone tell me what might be happening here?

--
John English
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users

Jan Bartel <janb@xxxxxxxxxxx>

www.webtide.com
Expert assistance from the creators of Jetty and CometD

References:
- [jetty-users] Session invalidation
  - From: John English

Prev by Date: Re: [jetty-users] WebSocketListener.onWebSocketClose called numerous times
Next by Date: Re: [jetty-users] WebSocketListener.onWebSocketClose called numerous times
Previous by thread: Re: [jetty-users] Session invalidation
Next by thread: [jetty-users] WebSocketListener.onWebSocketClose called numerous times
Index(es):
- Date
- Thread

Breadcrumbs