-
Bug
-
Resolution: Won't Do
-
Major
-
None
-
JBossAS-4.0.3 SP1
-
None
It is not possible to generate new session IDs as expected and stated in the servlet specification.
A call of HttpSession.invalidate() unbounds all objects attached to the session but does not set the session to invalid.
Sample Code:
public class SessionTest extends HttpServlet {
protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException
{ HttpSession curSession=httpServletRequest.getSession(); String prevSession = curSession.getId(); curSession.invalidate(); // Should invalidate session curSession= httpServletRequest.getSession(true); // Should return new valid session, but returns old session instead String newSession= curSession.getId(); boolean testCondition = prevSession.equals(newSession); // is true }}
EDIT: I am not sure if this affects versions higher than 4.03 as well