I have reported an instance of this bug on Orion's bugzilla Bug #566 which
still remains marked as 'New' well after 1 month, so I still have no
feedback as to whether this is a bug or not.

My login_form.jsp file has the purpose of invalidating the current session
(to effectively logout any existing session), creating a new session,
retrieving a 'brand' bean, and displaying an appropriate login form which
utilizes some of the fields in the 'brand' bean (to determine colors and
logo image location, etc).

I use a JSP custom tag to handle the brand bean retrieval:

HttpServletRequest request = (HttpServletRequest)pageContext.getRequest();
HttpSession session = request.getSession();
HttpSession newsession = request.getSession(true);

// code to retrieve the brandbean omitted to reduce the clutter


My JSP code for login_form.jsp contains this excerpt:

<mytags:newuser />
<jsp:useBean id="brand" scope="session"

The resulting output when trying to access the page is as follows:

java.lang.IllegalStateException: Session was invalidated
        at com.evermind[Orion/1.5.2 (build
10460)].server.http.EvermindHttpSession.getAttribute(Unknown Source)
        at /login_form.jsp._jspService(/login_form.jsp.java:58)
// additional inconsequential stacktrace omitted.

It is obvious here that the object reference used to access the session
scope from the useBean tag has grown stale and is not effected by calls to
the request object's getSession(boolean) method.

A secondary issue is that the actual Session ID does not change when a new
session is requested.  I would like this to take place as well if it is
possible.  Does anyone have any suggestion of what I can implement without
creating nasty scriptlet code or otherwise significantly altering my control

-----Original Message-----
[mailto:[EMAIL PROTECTED]]On Behalf Of The
Sent: Tuesday, September 18, 2001 3:11 PM
To: Orion-Interest
Subject: RE: session bug


This won't work reliably on  a post request, because the session management
also depends on cookies. In order to make sure you get a new session, you
will need to put in something like this (only for post request):

session = request.getSession(true);

if(!session.getNew()) response.sendRedirect("/logout");

This will work about 99% of the time...whereas if you just do
session.invalidate(), session=request.getSession(true) it won't work in a
post request.


the elephantwalker

-----Original Message-----
[mailto:[EMAIL PROTECTED]]On Behalf Of Rafael Alvarez
Sent: Tuesday, September 18, 2001 11:00 AM
To: Orion-Interest
Subject: Re: session bug

Hello Denis,
Try doing this:
session = request.getSession(true);
System.out.println("session = request.getSession(false);\t" +
System.out.println("session = " + session);
System.out.println("session.invalidate();\t" + session.hashCode());
System.out.println("session = " + session);
session = request.getSession(true);
System.out.println("session = request.getSession();\t" +
System.out.println("session = " + session);

That way you'll get a new session after the session is invalidated.
The problem arises because the session object that is associated with
the request object is the invalidated one until you create a new
session, either by a new hit in the page/servlet or by using

Tuesday, September 18, 2001, 9:44:52 AM, you wrote:

DK> Hello everyone!

DK> I think I have found bug in orion 1.5.2.
DK> There is problem with sessions. When I invalidate session and then get
DK> session, sometimes (not always) I get same invalidated session.
DK> Does anybody have same problem? Any solution except that I remove all
DK> from session?
DK> Thanks in advance.

DK> Here is code that demonstrates bug:

DK> session = request.getSession(true);
DK> System.out.println("session = request.getSession(false);\t" +
DK> session.hashCode());
DK> System.out.println("session = " + session);
DK> session.invalidate();
DK> System.out.println("session.invalidate();\t" + session.hashCode());
DK> System.out.println("session = " + session);
DK> session = request.getSession();
DK> System.out.println("session = request.getSession();\t" +
DK> session.hashCode());
DK> System.out.println("session = " + session);

DK> Orion's output:

DK> session = request.getSession();    2935133
DK> session = HTTP Session AKAEMHOGAJOD
DK> session.invalidate();   2935133
DK> session = HTTP Session AKAEMHOGAJOD
DK> session = request.getSession();         2935133
DK> session = HTTP Session AKAEMHOGAJOD

DK> Exception is
DK> java.lang.IllegalStateException: Session was invalidated
DK>         at
DK> Source)
DK>         at
DK> isvu.kadrovska.web.command.LoginCommand.execute(LoginCommand.java:161)
DK>         at isvu.kadrovska.web.Kadrovska.doPost(Kadrovska.java:183)
DK>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:211)
DK>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:309)
DK>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:336)
DK>         at com.evermind._cxb._abe(Unknown Source)
DK>         at com.evermind._cxb._uec(Unknown Source)
DK>         at com.evermind._io._twc(Unknown Source)
DK>         at com.evermind._io._gc(Unknown Source)
DK>         at com.evermind._if.run(Unknown Source)

Best regards,
 Rafael                            mailto:[EMAIL PROTECTED]

Reply via email to