I just wanted to confirm some assumptions derived from testing with anyone with experience using the HttpSession.
How exactly does request.getSession(true) work? It appears to return invalid sessions, I assume this is by design as there is also a request.isRequestedSessionIdValid() method. So if a request comes in with a jsessionid for a session which has timed out, it appears that getSession() will still return it. However, at this point the session.getAttribute("myAtt") will return null.
below is pseudocode:
HttpSession session = request.getSession(true);
if(session.isNew()){
session.setAttribute("myAtt", new Integer(3));
}
else{
Integer val = (Integer)session.getAttribute("myAtt");
if(val == null){
throw new IllegalStateException("Session must contain a myAtt");
}
//process val
}
I am seeing the IllegalStateException being thrown for timed out sessions. I would have hoped that getSession() would return a session for which isNew() is true if the requested session id is invalid, but this doesn't appear to be the case. So at this point, since it appears I have a session that has been invalidated, how do I get my hands on a valid session for which isNew() will return true?
Note this is the only place in which I am creating a session in the code, all other calls to getSession are getSession(false), so there shouldn't be any way for a session to exist, not be new, and not contain a myAtt. This does work up until the session times out.
tia