1

i'm using in my actions a SessionMap (org.apache.struts2.dispatcher.SessionMap<K,V>) to track my sessions. I also use the method invalidate() provided by SessionMap for logout.

Using the webapp "manager" provided by Tomcat, I can monitor sessions in my server. When i want logout from my webapp i call the method invalidate().

But after calling this method the session doesn't expire! Invalidate() method only delete the object stored in the session (e.g. a user object created after login() but the session exists.

Hoping my explanation is clear, how can i solve this problem? thanks in advance

My code:

public String execute(){

    User user = authenticateUser( getUsername(), getPassword() ); 
    if ( user == null )
    {
        /* User not valid, return to input page. */
        return INPUT;
    }
    else{
        session.put( "user", user );
    }

    return SUCCESS;
}

and I invalidate the session as follows:

public String logout(){
    session.invalidate();   
    System.out.println("LOGOUT");
    return "logout";
}

where session is:

private SessionMap<String, Object> session;
Rosanero4Ever
  • 482
  • 1
  • 7
  • 19

2 Answers2

1

A session is created as soon as a JSP is accessed, unless you explicitly configure the JSP to not create sessions, plus the S2 session interceptor will create one (if your stack includes it).

That said, removing a known object from session should be all that's required to indicate whether or not a person is logged out--relying on not having a session requires too much extra work, and is fairly brittle--simply forgetting to tell a JSP page not to create a session will create it.

It's much cleaner, and more reliable, to keep something like a User object in session while the user is logged in.

Dave Newton
  • 158,873
  • 26
  • 254
  • 302
  • @Rosanero4Ever Okay, but that's not really related to what I said. – Dave Newton Nov 25 '11 at 16:39
  • @Dᴀᴠᴇ Nᴇᴡᴛᴏɴ I keep a user object in session while the user is logged in, as you suggested. When i invalidate the session the user object is "deleted" from the session, but the session still exists. – Rosanero4Ever Nov 25 '11 at 16:52
  • 1
    @Rosanero4Ever As I stated, sessions will show up any time you access a JSP and don't explicitly declare the JSP to not avoid sessions. Why do you care if there's a session if it's empty? You're trying to micro-optimize something that just doesn't matter. – Dave Newton Nov 25 '11 at 16:56
  • @Dᴀᴠᴇ Nᴇᴡᴛᴏɴ Right Dave! I want to understand how session works using methods I used in my code. But, as you wrote, i would like micro-optimize because i care performance on the server. So, I don't care about session without any object inside. Right? :-) – Rosanero4Ever Nov 25 '11 at 17:02
  • 1
    @Rosanero4Ever Micro-optimize all you want. Set up every JSP page you don't want to create a session with `<%@ page session="false" %>`. I don't know what you think you're really saving, though--the effort you spend making sure you keep up with all your pages and application flows is 100% not worth the miniscule memory benefit (maybe 1K-2K per user, so you'd need thousands of users before you'd even *notice* it). Have fun. – Dave Newton Nov 25 '11 at 17:06
1

How you invalidating your session can you show the code? one way to invalidate session is

// Code fragment from class implementing SessionAware containing the 
// session map in a instance variable "session". Attempting to invalidate 
// an already-invalid session will result in an IllegalStateException.
if (session instanceof org.apache.struts2.dispatcher.SessionMap) {
    try {
        ((org.apache.struts2.dispatcher.SessionMap) session).invalidate();
    } catch (IllegalStateException e) {
        logger.error(msg, e);
    }
}

More over i am agree with Dave you should be concerned to remove a particular instance from the session

Umesh Awasthi
  • 23,407
  • 37
  • 132
  • 204
  • @Rosanero4Ever removing user from the session is your ultimate goal which can be best achieved by remove method beside i am agree what Dave has said in his post.Is there any special requirement to invalidate session? – Umesh Awasthi Nov 25 '11 at 16:45
  • I think about server performance. I don't want session without any object inside. – Rosanero4Ever Nov 25 '11 at 16:54
  • :) than you have to ask jsp not to create session instance for you more over struts2 session and lazy means they are not there till u ask for them and honestly this aspect will not going to impact overall performance of your application – Umesh Awasthi Nov 25 '11 at 16:59
  • So..I'm too much precise and careful. I will never care about sessions in these terms :-) – Rosanero4Ever Nov 25 '11 at 17:05
  • @Rosanero4Ever look at the comment of Dave if you want to avoid the session creation and honestly i never tried such level of optimization as it will not give much results worth your efforts input.thats said rest is all your choice – Umesh Awasthi Nov 25 '11 at 17:08