Dispatcher and Servlet not sharing same session

**chinedubond** · Feb 24th, 2011, 04:41 AM

Hi
I have this slight problem.

I have a web app some some some servlets but the servlet that is giving issues is OnConstController which is a servlet.
It does seem to be sharing the session from dispatcherselvet but the problem occurs when the session is invalidated i.e a user logging out out.
The OnConstController servlet still looks at the session as valid. I know cos i printed out the SessionId and it is still exists.
So that is a security concern. It seems the OnConstController servlet isn't notified of the invalidated session.
Please can someone suggest the reason or fix.
Thanks
in the web.xml

Code:

<servlet> 
    <servlet-name>OnConstController</servlet-name>  
    <servlet-class>com.systemspecs.controller.OnConstController</servlet-class> 
  
  </servlet>  
  <servlet-mapping> 
    <servlet-name>OnConstController</servlet-name>  
    <url-pattern>/onConst</url-pattern> 
  </servlet-mapping>  
  <servlet>

**Luke Taylor** · Feb 24th, 2011, 06:59 AM

I don't really see how this is a Spring Security issue (or indeed a Spring one).

If you are invalidating the session and creating a new one, then whether you get a different session Id is controlled by the servlet container you are running in. If you only invalidated the session then there will no longer be an HttpSession available, so you wouldn't be able to print the Id (request.getSession(false) will return null).

**chinedubond** · Feb 24th, 2011, 07:07 AM

hi luke ,
Thanks for your quick reply.
I believe I did this in the controller.

Code:

HttpSession sess=req.getSession(false);
        	
        	if(sess== null){
        		System.out.println("In the oncostController--> session is null");
        		res.sendRedirect("/logonScreen.jsp");
        	}

Apparently the code never gets here.
Is there a problem with another servlet getting notifications of expired sessions from the DispactherServlet

**Luke Taylor** · Feb 24th, 2011, 07:19 AM

If request.getSession(false) doesn't return null, then you haven't invalidated the session, or you've inadvertently created another one (or your servlet container has a serious bug).

If you are just using the servlet API and aren't using Spring Security, then this isn't really an appropriate forum for questions like this.

**chinedubond** · Feb 24th, 2011, 07:26 AM

hi luke,
I am using spring security and I think this scenario is tied because it is affecting the concurrent user configuration i setup in my spring configuration. Validating a user's session isn't be notified. I did not want to throw in the spring security issue before because I felt it would lead to confusion.

I figured that if I can get the onConstController Servlet to "see" invalidated sessions then it will propagate to the concurrent user session control as well.
<concurrent-session-control max-sessions="1" expired-url="/logonScreen.jsp" />

Thread: Dispatcher and Servlet not sharing same session

Thread Tools

Display

Dispatcher and Servlet not sharing same session

Posting Permissions