Just to add a bit more information, our handler class, for better or for
worse, implements the following interfaces all in one class:
implements HttpSessionBindingListener, HttpSessionActivationListener,
HttpSessionIdListener, HttpSessionListener, ServletContextListener
We also use that same class as our "session model" object that we bind as
an attribute to the session itself (it's a bit of a mixed bag historically
that I want to clean up).
And in terms of registration, we do not have any annotations on the class,
instead we register it in web.xml (in the application WAR file) using a
standard listener entry:
<listener>
<listener-class><<class name>></listener-class>
</listener>
Our web.xml is set at Servlet API version 3.0 (kind-of old), and we are
running against Tomcat 9.5 (and this worked on 8.5 and before as well).
Not sure if that adds anything Chris that you haven't already looked at.
I would really prefer a way to query the sessions from the app, but as we
know, that's not part of the current Servlet specification, or any
extensions Tomcat currently provides.
Robert
On Thu, Mar 21, 2024 at 3:31 PM Robert Turner <rtur...@e-djuster.ca> wrote:
> We receive the sessionWillPassivate and sessionDidActivate callbacks on
> startup. Odd that you are not. That's how we achieve the same.
>
> On Thu, Mar 21, 2024 at 3:25 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
>> All,
>>
>> After having written a solution using JMX to do something like this, I'd
>> like to make it cleaner and I'm not sure it's entirely possible using
>> just Servlet APIs.
>>
>> I'd like to be able to track every HttpSession for the application.
>>
>> for admin purposes, I'd like to be able to analyze:
>>
>> 1. The total number of sessions
>>
>> 2. The number of sessions which represent a logged-in user vs a
>> crawler-session or someone who visited the home-page and got a session
>> but never logged-in
>>
>> 3. Checking-out some specific roles of those logged-in users e.g.
>> end-user, staff, admin
>>
>> 4. Be able to kill a session at will. For example "chris is already
>> logged-in, kill his old session and let the new login remain"
>>
>> I started with the obvious HttpSessionListener +
>> HttpSessionActivationListener, but I tried this experiment and it didn't
>> turn out how I expected:
>>
>> 1. Start the application and hit the front page
>>
>> -> I get a call to HttpSessionListener.sessionCreated (expected)
>>
>> 2. Login
>>
>> 3. Logout
>>
>> -> I get a call to HttpSessionListener.sessionDestroyed (expected)
>> -> I get a call to HttpSessionListener.sessionCreated (expected)
>> (this second one happens because our home-page creates a session)
>>
>> 4. Login again
>>
>> 5. Stop Tomcat
>>
>> -> No calls to anything I can see
>>
>> 6. Start Tomcat
>>
>> -> No calls to anything I can see
>>
>> 7. Access a protected page
>>
>> -> Access is allowed; I'm still logged-in.
>>
>> When Tomcat shuts-down, it's saving the sessions using local
>> persistence[1]. When the application comes back up, all those sessions
>> are restored from the disk.
>>
>> When my HttpSeessionListener starts, it's empty and doesn't know about
>> any sessions. Tomcat doesn't notify it that any sessions are coming from
>> that storage.
>>
>> I would have expected calls to
>> HttpSessionActivationListener.sessionWillPassivate and
>> HttpSessionActivationListener.sessionDidActivate.
>>
>> Do I have unrealistic expectations? Is there a way to capture these
>> events so my in-memory session-watcher/manager is able to have an
>> accurate view of what Tomcat can see?
>>
>> Thanks,
>> -chris
>>
>> [1]
>>
>> https://tomcat.apache.org/tomcat-8.5-doc/config/manager.html#Persistence_Across_Restarts
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
