Announcement Announcement Module
No announcement yet.
Dispatcher and Servlet not sharing same session Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Dispatcher and Servlet not sharing same session

    I have this slight problem.

    I have a web app some some some servlets but the servlet that is giving issues is OnConstController which is a servlet.
    It does seem to be sharing the session from dispatcherselvet but the problem occurs when the session is invalidated i.e a user logging out out.
    The OnConstController servlet still looks at the session as valid. I know cos i printed out the SessionId and it is still exists.
    So that is a security concern. It seems the OnConstController servlet isn't notified of the invalidated session.
    Please can someone suggest the reason or fix.
    in the web.xml

  • #2
    I don't really see how this is a Spring Security issue (or indeed a Spring one).

    If you are invalidating the session and creating a new one, then whether you get a different session Id is controlled by the servlet container you are running in. If you only invalidated the session then there will no longer be an HttpSession available, so you wouldn't be able to print the Id (request.getSession(false) will return null).


    • #3
      hi luke ,
      Thanks for your quick reply.
      I believe I did this in the controller.
      HttpSession sess=req.getSession(false);
              	if(sess== null){
              		System.out.println("In the oncostController--> session is null");
      Apparently the code never gets here.
      Is there a problem with another servlet getting notifications of expired sessions from the DispactherServlet


      • #4
        If request.getSession(false) doesn't return null, then you haven't invalidated the session, or you've inadvertently created another one (or your servlet container has a serious bug).

        If you are just using the servlet API and aren't using Spring Security, then this isn't really an appropriate forum for questions like this.


        • #5
          hi luke,
          I am using spring security and I think this scenario is tied because it is affecting the concurrent user configuration i setup in my spring configuration. Validating a user's session isn't be notified. I did not want to throw in the spring security issue before because I felt it would lead to confusion.

          I figured that if I can get the onConstController Servlet to "see" invalidated sessions then it will propagate to the concurrent user session control as well.
          <concurrent-session-control max-sessions="1" expired-url="/logonScreen.jsp" />