httpsession

What is the maximum limit (i.e. size) of data that a HTTPSession variable can hold? What will happen if this exceeds? And most importantly, what is the alternative approach to have the data throughout the session if the size exceeds the maximum size that a HTTPSession variable can hold? There is no limit, other than the memory of your server. The alternatives are to run your server with more memory to configure the server to swap sessions to disk (see http://tomcat.apache.org/tomcat-7.0-doc/config/manager.html for Tomcat) to avoid putting large data in the session, and to use a cache or a

I would like to make the connection between a websocket handshake \ session to a HttpSession object. I've used the following handshake modification: public class GetHttpSessionConfigurator extends ServerEndpointConfig.Configurator { @Override public void modifyHandshake(ServerEndpointConfig config, HandshakeRequest request, HandshakeResponse response) { HttpSession httpSession = (HttpSession)request.getHttpSession(); config.getUserProperties().put(HttpSession.class.getName(),httpSession); } } As mentioned in this post: Accessing HttpSession from HttpServletRequest in a Web Socket

I've inherited a pretty ancient JSP application (JDK 1.3.1_15) and am attempting to plug a session fixation hole. I'm successfully invalidating the current session after authentication using HttpSession.invalidate() however when the new session is created, the old session ID is re-used. <% // login.jsp if (authenticated) { request.getSession().invalidate(); // create new session and store data HttpSession session = request.getSession(); session.putValue(...); // etc response.sendRedirect("logged-in.jsp"); return; } %> I can see the new session assignment in my HTTP monitor, it's just using the

I have a Java application running on Tomcat 6.0.29, with Apache 2.2.3 in front. The login page uses HTTPS, while most pages use HTTP. If a user tries to access a page (HTTP) that is login protected, he gets redirected to the login page (HTTPS), logs in, then gets redirected back to the originally requested page. This works great, as the JSESSIONID cookie is set as non-secure, and used for both HTTP and HTTPS. However, if the user starts at the login page (HTTPS), the JSESSIONID cookie is set as Secure, and thus the session is not available after login when redirecting to pages under HTTP,

How to check if a session is invalid or not? There is no method in the API . Is it the same as isNew() ? And what is the difference if not? If you want to know whether it valid based on a request: request.isRequestedSessionIdValid() or HttpSession sess = request.getSession(false); if (sess != null) { // it's valid } If you have stored a reference to the session and need to validate I would try { long sd = session.getCreationTime(); } catch (IllegalStateException ise) { // it's invalid } isNew() is true only if this session wasn't yet accepted by client (i.e. it was just created, and JSESSIONID

I am using SSH2. When I try to got an attribute with <%=session.getAttribute("username") %> , it was just right. But when I tried to get the same attribute with <s:property value="#session.username" /> , I got nothing. Why? Aren't they the same? And when I used the <s:debug> , I got these: Servlet.service() for servlet jsp threw exception org.hibernate.LazyInitializationException: could not initialize proxy - no Session at org.hibernate.proxy.AbstractLazyInitializer.initialize(AbstractLazyInitializer.java:167) at org.hibernate.proxy.AbstractLazyInitializer.getImplementation