问题
Shouldn't invalidating a session cause request.getSession(false) to return null? In my logout servlet I call
session.invalidate();
and in my login status filter I call
request.getSession(false);
The call to getSession(false) never returns null but all attributes associated with the session object returned are null. I currently detect if a user is logged out by searching for null attributes but this doesn't seem right.
回答1:
I currently detect if a user is logged out by searching for null attributes
That's also the normal approach. To check if an user is logged in, you should surely not check if the servletcontainer has created the session or not. This does not represent the logged-in user at all.
On login, just put the user model object in the session scope without checking if the container has created the session for you. In other words, just use getSession() without boolean argument so that the container will autocreate if necessary, you need the session at this point anyway:
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String username = request.getParameter("username");
String password = request.getParameter("password");
User user = userService.find(username, password);
if (user != null) {
request.getSession().setAttribute("user", user);
response.sendRedirect(request.getContextPath() + "/home");
} else {
request.setAttribute("message", "Unknown login. Please retry.");
request.getRequestDispatcher("/WEB-INF/login.jsp").forward(request, response);
}
}
On access filtering, just check if the session attribute representing the logged-in user is present, you only use getSession(false) here to avoid unnecessary session creation, otherwise for example searchbots would trigger session creation which is totally unnecessary:
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
HttpSession session = request.getSession(false);
User user = (session != null) ? (User) session.getAttribute("user") : null;
String loginURL = request.getContextPath() + "/login";
if (user == null && !request.getRequestURI().equals(loginURL)) {
response.sendRedirect(loginURL);
} else {
chain.doFilter(request, response);
}
}
On logout, make sure that you send a redirect after invalidate, because the current session is still available in the response of a forward.
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
request.getSession().invalidate();
response.sendRedirect(request.getContextPath() + "/login");
}
回答2:
for every servlet or jsp you travel you should call
request.getSession(false);
except for you first page where you create the sessionby
request.getSession(true);
if you dont call
request.getSession(false);
then the session is not carried till that page so before you call
session.invalidate();
make sure you are continuing the session to that page by calling
request.getSession(false);
来源:https://stackoverflow.com/questions/14557435/request-getsessionfalse-not-returning-null-after-calling-session-invalidate