Why calling invalidate() in HttpSessionListener doesn't give StackOverflowError?

Question

I have a jsp file and a HttpSessionListener to monitor HttpSession destroying activities.

index.jsp

<%
    HttpSession s = request.getSession();
    System.out.println("SID1 : " + s.getId());
    s.setAttribute("Key", "Value");
    s.invalidate();
%>

SessionListener

@WebListener
public class SessionListener implements HttpSessionListener {

    @Override
    public void sessionCreated(HttpSessionEvent se) {
    }

    @Override
    public void sessionDestroyed(HttpSessionEvent se) {
        HttpSession s = se.getSession();
        System.out.println("SID2 : " + s.getId());
        System.out.println(s.getAttribute("Key"));
        s.invalidate();
        System.out.println("Session Destroyed");
    }

}

Now according to the above situation, sending a HTTP request to index.jsp should create a HttpSession and call it's invalidate() method, meanwhile the HttpSessionListener should catch the same HttpSession and call the invalidate() once again, and this process should repeat over and over again.

Which should eventually result in throwing a java.lang.StackOverflowError. But I have got the the following output without any errors.

SID1 : A2751AE9E782A17380415B0078C9ED90
SID2 : A2751AE9E782A17380415B0078C9ED90
Value
Session Destroyed

I have tested it with both GlassFish and Tomcat servers, the result stays the same. Can someone explain what's going on?

Why should it throw a `StackOverflowError`? The [Javadocs](https://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpSession.html#invalidate--) on `HttpSession.invalidate()` mention that it should throw `IllegalStateException` if *this method is called on an already invalidated session*. Maybe this is a quirk/bug of the specific application server you are using. — Nikos Paraskevopoulos, Feb 14 '18 at 16:39
can you print request.getSession().isNew() after s.invalidate() in jsp and let us know the result? — Prateek Jain, Feb 14 '18 at 16:40
The session is not invalidated on the first time. Take a look at the session ids. they are same. so it should keep calling invalidate again and again — Roshana Pitigala, Feb 14 '18 at 16:41

Andremoniy · Accepted Answer · 2018-02-14T16:43:12.240

2

Apparently this is because session is already invalidated when you invoke invalidate method for the second time from public void sessionDestroyed(HttpSessionEvent se) {...}.

Session.beginInvalidate() returns false value in this case and this block is not invoked:

boolean result = beginInvalidate();

try {
    //if the session was not already invalid, or in process of being invalidated, do invalidate
    if (result) {
         //tell id mgr to remove session from all contexts
         _handler.getSessionIdManager().invalidateAll(_sessionData.getId());
    }
}

In particular,_handler.getSessionIdManager().invalidateAll invokes SessionHandler.invalidate, which invokes SessionHandler.removeSession which invokes _sessionListeners.get(i).sessionDestroyed(event);.

So in case if the session is already invalidated this scenario doesn't work.

edited Feb 14 '18 at 16:43

answered Feb 14 '18 at 16:37

Andremoniy

34,031
20
135
241

If the session has been invalidated already, how come the attributes get printed in the output when called in the listener? – Roshana Pitigala Feb 14 '18 at 16:53
1

I don't understand this your last question. What's the problem? First time you invoke `s.invalidate();` from the JSP. It does all this sequence described in my answer. After that your `sessionDestroyed` is invoked where all printouts are performed. Then you call there `s.invalidate()` again, but it has no effect as at this moment session is already invalidated. – Andremoniy Feb 14 '18 at 16:55

Why calling invalidate() in HttpSessionListener doesn't give StackOverflowError?

1 Answers1