I come back with the same question but this time more documented. i have a web application with many servlets and JSPs. The application has a LogIn option. In the LogIn servlet i start a new session, and after placing some informations in the session i go forward to a JSP.
LogIn.java relevant code:
HttpSession sess = request.getSession(true);
sess.setAttribute("GLN", user);
rd.forward(request, response);
After I forward, I get a Jsp page called Insert.jsp where I get the sessions attributes.
Insert.jsp relevant code:
HttpSession sess = request.getSession(false);
if (sess != null){
out.println(sess.getAttribute("GLN"));
}
After this i have a form that directs me to a servlet Adaugare.java. Here i do the same thing:
Adaugare.java code:
HttpSession sess = request.getSession(false);
Here comes the problem. Later edit: This returns null, as no session exists. Then i forward to same Insert.jsp file and there, even if i have HttpSession sess = request.getSession(false);, a new session with a new session ID is created different from the first one. So obviously
out.println(sess.getAttribute("GLN")); returns null.
This is the long story. The short version:
When i go from a servlet to a jsp, session is ok, when i go from a jsp to a servlet, session is nowhere to be found . Then a new session is created when i forward to a JSP. Practically it creates a new cookie. If i print the contextPath from JSP and serlet, it's the same.
But here is the strange thing. This happens when i run the application on a apache with a mod_jk. When i run the app from a tomcat, it works fine.......
Please help, i've been stuck for 2 weeks on this problem.
Answer to dan: (Text to long for comment and need to wait 7 hours to reply my own question)
I deleted all comented lines. Hope that is ok. I'm not the one in charge with the server, but the one who is told me it's not multiple workers.
worker.list=jk-status
worker.jk-status.type=status
worker.jk-status.read_only=true
worker.list=jk-manager
worker.jk-manager.type=status
worker.list=balancer
worker.balancer.type=lb
worker.balancer.error_escalation_time=0
worker.balancer.max_reply_timeouts=10
worker.balancer.balance_workers=node1
worker.node1.reference=worker.template
worker.node1.host=localhost
worker.node1.port=8109
worker.node1.activation=A
worker.balancer.balance_workers=node2
worker.node2.reference=worker.template
worker.node2.host=localhost
worker.node2.port=8209
worker.node2.activation=A
worker.template.type=ajp13
worker.template.socket_connect_timeout=5000
worker.template.socket_keepalive=true
worker.template.ping_mode=A
worker.template.ping_timeout=10000
worker.template.connection_pool_minsize=0
worker.template.connection_pool_timeout=600
worker.template.reply_timeout=300000
worker.template.recovery_options=3
If the requests are balanced between multiple workers you should set the session stickiness flag to true. See: http://tomcat.apache.org/connectors-doc/reference/workers.html for more details. You should try:
worker.balancer.sticky_session=True
Related
I am working on an application with react on the front end and java(running on tomcat server JDK17) in the backend. Whenever I login into the application, I send the user data to the server(java) and see if the user exists in the database. Whenever I move across the components in the react application, I would like to check if the user is authenticated/allowed to use that particular component. Hence I stored the data onto a session in the login servlet. I tried to access the session from another servlet called AuthenticationServlet, it returns null. Do I have to configure something so that I can access the data across all the servlets.
This is how I set the session data in the login servlet:
HttpSession session = request.getSession();
session.setAttribute("uname", uname);
Printing it on the console in the same servlet displays the username.
This is where I'm accessing it(AuthenticationServlet)
HttpSession session = request.getSession();
String k = (String) session.getAttribute("uname");
System.out.println(k);
This displays null. What am I doing wrong or did I miss something. Much appreciated!
my code,
HttpSession session = request.getSession(false);
// Details.l.info(" 1>>>>session ID is : " + session.getId());
Details.l.info("["+this.getClass()+"]"+"request from "+request.getRemoteHost());
if(session==null){
session = request.getSession(true);
Details.l.info("["+this.getClass()+"]"+"Session Created!!!!!!!!!!!!!!!!!!!#####$####");
Details.l.info(" 2>>>>>session ID is : " + session.getId());
}
Details.l.info(" 3>>>>>session ID is : " + session.getId());
// System.out.println("session ID is : " + session.getId());
Details DTO = new Details(request);
String loc = DTO.findMyLocation();
session.invalidate();
here, i am creating a session at the very beginning of the servlet with a logic that if the session already exists, then give hat session ID for that particular user or if a session does not exist for this particular user, please create a new session and then give the new session ID, here the new session is created inside the IF condition and i have tested in all possible ways (i have used two different systems and tried hitting to the servlet on one system too) but the control never gets into this loop where the session is getting created. but i see every time i hit to the servlet i get a new session ID!!! can someone please exlain this behavior of my servlet?? i am very new to sessions and servlets!!
Thanks in Advance..
JSPs implicitely create a session, unless session is set to false in the page directive:
<%# page session="false" %>
That's why your servlet always sees an already existing session. Simply enter the address of the servlet in the browser address bar (provided the code you posted is in the doGet() method), instead of going through the JSP to invoke it, and you should see the servlet create a new session.
EDIT: note that the spec says about this session attribute that it can be used to specify that the JSP doesn't participate in the session. Nothing guarantees that no session will be created when invoking the JSP. Only that, if you try to access the session from this JSP, you'll get an exception.
You may want to use request.getSession(true) to always create a session.
I am using jboss 5.1 server and struts framework . The following are usecases
Usecase 1
1)Cleared the browser cache and loaded browser with my application url
(say /loadLogin.do)
2)In code httpSession = request.getSession(false); when i check httpSession its not null and has some jessionid say 123
3)Now i invalidate the session httpSession.invalidate();
4)Again i create a new session httpSession = request.getSession(); now this time a new jessionid is created say 456
5)Finally when i check my cookie it shows 2(two) jessionid's
Set-Cookie: JSESSIONID=123.node1; Path=/loadLogin
Set-Cookie: JSESSIONID=456.node1; Path=/loadLogin
Usecase 2
1)Don't clear cache
2)Suppose the browser already has the url (i.e. login to the app and then logout and then try logging in again , this time browser shows url in its dropdown)
3)This time when i check cookie only 1 jessionid is present ..
Can someone plz tell me , is the how the server behaves , or something to do with the way session is being handled in application
I've dealt with this problem too half year ago. it was very frustrating problem. But I solved it.
You first cancel new created session and then create new one.
if (getHttpRequest().getSession(false).isNew() == false) {
getHttpRequest().getSession(false).invalidate();
getHttpRequest().getSession(true);
}
Hi in jsp of JavaScript i am checking userdId in session or not it always have session id if session expires also, but i checked in java Action class after session expires userid is null but not in jsp. code link
Try alerting the sessionId in your javascript code. You will find that the sessionId is different after the old one has expired.
Also check what the code is doing when a new session is created. It might be setting the userid in the new session.
Hi i am developing application using struts and jsp. in jsp we are using Ajax calls , after session timeout, we are redirecting to log in page. but the problem is the log in page is displaying same div tag.i am checking user in session or not in javascript of jsp but always session have userid value, it never going to be null, if session expires also.
Two things
Configure a Welcome page as Login Page in web.xml
Create a filter and configure in web.xml , this should be the first filter in web.xml
In the filter check if the session is new the user should be guided to the login page , else the request should be processed.
Recently I made a tutorial about this exactly. Maybe it can be helpful. Is the same solution that abhi proposed but with an example.
http://classfoundexception.blogspot.com.es/2012/04/how-to-secure-struts-13-application.html
Every time the new request comes, you should check and validate session at server side.
Also this timeout is handled by web server.Once time out is occurred, automatically server redirect user to session logout URL. You may change this configuration in conf files of server.
For more info see this
To handle Session Timeout/Expire for Ajax Call Request and to dispatch it to login page follows these steps.
1) In Your jsp wherever ajax function are written Set a header before your ajax send request.
req.open("POST", Servlet_PATH, true);
req.setRequestHeader("X-Requested-With", "XMLHttpRequest"); //set header
req.send();
2) In a Filter get the header like this and if session is null send as an Response Error
httpRequest.getHeader("X-Requested-With");
if (session == null) {
`if(httpRequest.getHeader("X-Requested-With")!=null && httpRequest.getHeader("X-Requested-With").equals("XMLHttpRequest")){`
`logger.info("Ajax Expired...");`
`((HttpServletResponse)response).sendError(403);` // Response error set
`return;`
`}}`
3) In jsp whereever ajax code is written check request.readystate and request.state like this
if (req.readyState==4 && req.status==200)
{
//your logic
}
else if(req.readyState==4 && req.status==403){
alert("Your Session is Expired.Please Relogin.");
window.location.href = "<%=request.getContextPath()%>/jsp/login.jsp";
}