i want to know what is __flexSession attribute in httpsession. Working on an application front is flex, wildfly10 is application server and back end is java. HttpSession has an attribute with name of __flexSession, which has HttpFlexSession object.which seems clone of HttpSession.After invalidation of HttpSession whenever I invalidate HttpFlexSession I got this exception.
java.lang.IllegalStateException: WFLYCLWEBUT0001: Session KvLvpquLBKMYJ_APyZ6jzxhenh3cRIjoZtHkdAf3 is invalid at org.wildfly.clustering.web.undertow.session.DistributableSession.validate(DistributableSession.java:55)
at org.wildfly.clustering.web.undertow.session.DistributableSession.getAttribute(DistributableSession.java:142)
at io.undertow.servlet.spec.HttpSessionImpl.getAttribute(HttpSessionImpl.java:122)
at com.os.sp.web.servlet.SessionInvalidateServlet.doPost(SessionInvalidateServlet.java:58)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
This problem is resolved
"__flexSession" is auto created attribute it contains a session which is replica of main session (parent session).
If you will invalidate the session it will automatically invalidate the session contain by "__flexSession" attribute.
If you will invalidate the session contain by "__flexSession" attribute it will invalidate its parent also.
It’s just a theory but the problem is how you can ensure both sessions are invalidated.
So to overcome this doubt solution is first of all isolate both sessions to each other than invalidate one by one as
Related
I want to change the session ID without invalidating the session after every request to the server and preserve all the session variable without invalidating it.
As i am using single login to restrict the user from multiple login by changing a flag is_login to true at session creation and to false when session is destroyed with the help of session listener. and after every request i am invalidating the session for generation of new session ID. can i change the session without invalidating it in JAVA.
Since Java EE 7 and Servlet API 3.1 (Tomcat 8) you can use HttpServletRequest.changeSessionId() to achieve such behaviour.
There is also a listener HttpSessionIdListener which will be invoked after each change.
On Tomcat, I have the below lines of code
session.invalidate();
session = request.getSession(true);
but the new session is having the same sessionId as the prior one that was invalidated.
What is causing this behaviour? how can I force tomcat to create the session with new session id.
Upon Debugging I see that even though the session object referenced in request becomes null, there is this requestedSessionId attribute in request and the container is just using that id to create the new session, how can I override that functionality?
This problem is resolved with Tomcat version 7.0.72. looking at the change log there are quite a few enhancements and bugs related to sessionID generation being addressed between 7.0.40 and 7.0.72. So one of them probably addressed this.
I am working on a java application using spring security.
I want to avoid the session fixation, but the session fixation solution found on the docs seem not to be working as expected... here
So, I did this on my login
final HttpSession session = request.getSession(false);
if (session != null && !session.isNew()) {
session.invalidate();
}
Works great and changes the JSESSIONID everytime I call the login page...
But once I am logged in, I can call the login page again, get another JSESSIONID and still be logged in, I can just click on the back button and come back to the logged users area.
It does change the JSESSIONID, my question is, shouldnt it have a bigger effect? like invalidate my session or log me out?
When I call the log out form it does log the user out and works as expected, I am just wondering if changing the JSESSIONID has a real effect or does nto matter.
ANy idea?
I am using security 3.2
spring's session is mapped to JSESSIONID. so if a customer would have session state beans, they would be lost after changing JSESSIONID.
even though documentation tells
Spring Security protects against this automatically by creating a new
session when a user logs in
you can explicitly set configuration for session fixation by adding this
<security:session-management session-authentication-strategy-ref="fixation" />
and defining fixation bean with SessionFixationProtectionStrategy class
In my grails application running on tomcat 7, Somewhere I am invalidating the existing http session (session.invalidate()) and creating a new session (request.getSession(true)).
But my this new session is not getting reflected everywhere in grails application. Due to this I do get 'Session already invalidated'.
I don't want to do request.getSession() everywhere. I am just using 'session'.
Is there anything in Grails 1.3.7, so that this new session gets reflected every where in app.
Please let me know if you need more info.
Regards
Well, Grails holds the reference to a session object and every time you ask it for a session it returns the same reference.. so if you invalidate a session and then ask for the session it will return the same invalidated session, and cause 'session already invalidated' exception..
This should work for you..
Execute following line Just after you do session.invalidate
//Trick - so that grails doesn't use old invalidated session but rather create new.
GrailsWebRequest.lookup(request).session = null
After that you can use session just as you do normally.. you dont need to create a new session yourself
See this thread for internals
I'm trying to invalidate a session. When I call:
session.invalidate()
it throws
java.lang.IllegalStateException: getLastAccessedTime: Session already invalidated
Any idea why? I can see the session and it's values just before the invalidate line.
You can use an HttpSessionListener to understand where and when the Session is timing-out or getting invalidated before you call the invalidate yourself.