问题
I am storing session ids in database at log in time. The problem I am facing is that if a different user logs in after first one, same session is entered in DB and welcome username still reflects the name of the one who logged in first on the same machine. I want to create a new session id each time a user logs in, but somehow my code doesn't work.
HttpSession session = request.getSession();
String sessionID;
request.getSession(true);
sessionID = session.getId();
Note: the above code is called when user click Login button and its contained in a servlet.
session ID still has the old value of session till the old one expires by default. Meaning if 10 users logs in, all will have same session id and same welcome name.
Need expert advice from gurus here:). Let me know if I am missing out on any details that need to be put.
If I use -
if(session.isNew()){
System.out.println("New session created by default");
request.getSession(true);
sessionID = session.getId();
createTime = new Date(session.getCreationTime());
lastAccessTime = new Date(session.getLastAccessedTime());
initialtime = System.currentTimeMillis();
}else{
System.out.println("You have created a new session");
request.getSession().invalidate();
request.getSession(true);
sessionID = session.getId();
createTime = new Date(session.getCreationTime());
lastAccessTime = new Date(session.getLastAccessedTime());
initialtime = System.currentTimeMillis();
}
get the below exception -
SEVERE: Servlet.service() for servlet LoginToApp threw exception
java.lang.IllegalStateException: getCreationTime: Session already invalidated
at org.apache.catalina.session.StandardSession.getCreationTime(StandardSession.java:1025)
at org.apache.catalina.session.StandardSessionFacade.getCreationTime(StandardSessionFacade.java:74)
at LoginToApp.doGet(LoginToApp.java:56)
at LoginToApp.doPost(LoginToApp.java:208)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:843)
at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:679)
at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1303)
at java.lang.Thread.run(Thread.java:595)
回答1:
Set the session variable to the new session: you're trying to work with the old, invalidated one.
回答2:
First you have to invalidate the session while logout, that deletes the session in server and its assosiated data.
Actually the session id is also stored in the client browser cookie with the name of jsessionid, even after invalidating the session it remains in client, but deleted in server, so when a user request with an expired jsessionid Server knows that the session is invalid,so creates new one.
So Invalidating is important while logout.
HttpSession session = request.getSession(false);
session.invalidate();
Even if you want to clear the data of the current session in client at the time of logout. use the below code.
Cookie[] cookies = request.getCookies();
for (Cookie cookie : cookies) {
cookie.setMaxAge(0);
cookie.setValue(null);
cookie.setPath("/");
response.addCookie(cookie);
}
来源:https://stackoverflow.com/questions/11886980/how-to-forcibly-create-a-new-session-in-java-servlets