How to forcibly create a new session in Java Servlets

Question

I am storing session ids in database at log in time. The problem I am facing is that if a different user logs in after first one, same session is entered in DB and welcome username still reflects the name of the one who logged in first on the same machine. I want to create a new session id each time a user logs in, but somehow my code doesn't work.

HttpSession session = request.getSession();
String sessionID;
request.getSession(true);
sessionID = session.getId();

Note: the above code is called when user click Login button and its contained in a servlet.

session ID still has the old value of session till the old one expires by default. Meaning if 10 users logs in, all will have same session id and same welcome name.

Need expert advice from gurus here:). Let me know if I am missing out on any details that need to be put.

If I use -

if(session.isNew()){
            System.out.println("New session created by default");
            request.getSession(true);
            sessionID = session.getId();
            createTime = new Date(session.getCreationTime());
            lastAccessTime = new Date(session.getLastAccessedTime());
            initialtime = System.currentTimeMillis();
        }else{
            System.out.println("You have created a new session");
            request.getSession().invalidate();
            request.getSession(true);
               sessionID = session.getId();
            createTime = new Date(session.getCreationTime());
            lastAccessTime = new Date(session.getLastAccessedTime());
            initialtime = System.currentTimeMillis();
         }

get the below exception -

SEVERE: Servlet.service() for servlet LoginToApp threw exception
java.lang.IllegalStateException: getCreationTime: Session already invalidated
    at org.apache.catalina.session.StandardSession.getCreationTime(StandardSession.java:1025)
    at org.apache.catalina.session.StandardSessionFacade.getCreationTime(StandardSessionFacade.java:74)
    at LoginToApp.doGet(LoginToApp.java:56)
    at LoginToApp.doPost(LoginToApp.java:208)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
    at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:843)
    at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:679)
    at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1303)
    at java.lang.Thread.run(Thread.java:595)

I'd say your logout is broken, then. Or your login. Or both. — Dave Newton, Aug 09 '12 at 15:43
I don't think so, Dave.Login is just a html page and everything is handled in the servlet here. — anujin, Aug 09 '12 at 15:44
Really? Hmm. Because normally on logout you'd invalidate the current session (or on login if you don't on logout, or you should just run the logout code). But the session ID isn't really the gating issue--what's *in* the session is the most important thing. And if you still have old data in the session, or the database, either your login, or logout, is broken (or both). — Dave Newton, Aug 09 '12 at 15:49
Dave, added more details to question. I do agree with your `invalidate`, but get the above exception. I am not logging out. Just logging in and if new user wants to log in, he clicks Log in again. — anujin, Aug 09 '12 at 15:55

score 1 · Accepted Answer · answered Aug 09 '12 at 15:58

1

Set the session variable to the new session: you're trying to work with the old, invalidated one.

answered Aug 09 '12 at 15:58

Dave Newton

158,873
26
254
302

how can I do that? Your thoughts please? – anujin Aug 09 '12 at 16:06
Thanks Dave. Your answer helped me and I found the details at - [killsession](http://stackoverflow.com/questions/5404907/kill-user-session). – anujin Aug 09 '12 at 16:16
@anujin Glad you worked it out--but setting a variable to a new value shouldn't require any research, no? – Dave Newton Aug 09 '12 at 16:56
absolutely:). Got a bit offtrack with `getSession` and overlooked `session` variable. – anujin Aug 09 '12 at 18:41

score 0 · Answer 2 · answered Nov 28 '14 at 00:19

First you have to invalidate the session while logout, that deletes the session in server and its assosiated data.

Actually the session id is also stored in the client browser cookie with the name of jsessionid, even after invalidating the session it remains in client, but deleted in server, so when a user request with an expired jsessionid Server knows that the session is invalid,so creates new one.

So Invalidating is important while logout.

 HttpSession session = request.getSession(false); 
 session.invalidate();

Even if you want to clear the data of the current session in client at the time of logout. use the below code.

Cookie[] cookies = request.getCookies();
    for (Cookie cookie : cookies) {
        cookie.setMaxAge(0);
        cookie.setValue(null);
        cookie.setPath("/");
        response.addCookie(cookie);
    }

How to forcibly create a new session in Java Servlets

2 Answers2