Hi all,
In our webapp, when a user clicks logout, an action is triggered to logout the user and then they get redirected to our login page. The login page contains a call to session.invalidate.
It seems like session.invalidate DOES invalidate the session so that any calls called to the session fail after it is invalidated. The strange thing is that if a user logs out and then another user logs back in, the session id stays the same.
Here's the code on the login page:
SESSION INFO BEFORE INVALIDATE:
${pageContext.session }<br />
creation time: ${pageContext.session.creationTime}<br />
sessiont id: ${pageContext.session.id}
<%
try
{
session.invalidate();
}
catch (Exception ex)
{
out.print("Exception clearing session!");
}
%>
Inside the application, I print out the session id, creation time, and user name.
So, here's what I see on the login page:
SESSION INFO BEFORE INVALIDATE: org.apache.catalina.session.StandardSessionFacade@1ad4242
creation time: 1187295129252
sessiont id: 873C8C86BFC930A70F8A1A2CEDFC2CBE
After logging in, I see this inside the app:
SESSION INFO: 873C8C86BFC930A70F8A1A2CEDFC2CBE
user: hudson
creation time: 1187295227940
When I hit logout, I see this on the login page:
SESSION INFO BEFORE INVALIDATE: org.apache.catalina.session.StandardSessionFacade@3aec42
creation time: 1187295227940
sessiont id: 873C8C86BFC930A70F8A1A2CEDFC2CBE
When I login again with a different user, I see this inside the app:
SESSION INFO: 873C8C86BFC930A70F8A1A2CEDFC2CBE
user: nuser
creation time: 1187295424507
The creation time for the session is changing, but I thought the session id would be different after the call to invalidate.
On the index page,
after the session is invalidated, if I add a line of code to print out the session creation time, then there is an exception. So it looks like the session is getting invalidated, but the session id will still get reused. Has anyone ever encountered this situation before? The app server I'm running is jboss-4.0.5.GA