Uploaded image for project: 'Application Server 3 4 5 and 6'
  1. Application Server 3 4 5 and 6
  2. JBAS-4436

session.getSession(true) does not create new sessionID after invalidation

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Major Major
    • None
    • JBossAS-4.0.3 SP1
    • Web (Tomcat) service
    • None

      It is not possible to generate new session IDs as expected and stated in the servlet specification.
      A call of HttpSession.invalidate() unbounds all objects attached to the session but does not set the session to invalid.

      Sample Code:

      public class SessionTest extends HttpServlet {

      protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException

      { HttpSession curSession=httpServletRequest.getSession(); String prevSession = curSession.getId(); curSession.invalidate(); // Should invalidate session curSession= httpServletRequest.getSession(true); // Should return new valid session, but returns old session instead String newSession= curSession.getId(); boolean testCondition = prevSession.equals(newSession); // is true }

      }

      EDIT: I am not sure if this affects versions higher than 4.03 as well

            rmaucher Remy Maucherat
            ladam_jira Ludwig Adam (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: