Good News (for me), you are absolutely right (like there was any doubt)! I had some mucky-muck before the server-specific sessionID token. Thanks for your help, it is greatly appreciated.
On Friday, January 3, 2003, at 05:57 PM, Joe Barefoot wrote:
It makes perfect sense. :) However:
Just because the user leaves your site does not mean the session is lost (from the server's perspective), unless you are explicitly logging them out when they go to the other site, or their session times out. If the session times out, you're out of luck either way. If you are not explicitly logging them out (there's no good reason to, esp. if they might be returning), then the session is still valid until the timeout is reached.
In order for the server to recognize a request as being part of an active session via the query string (i.e., no cookies), you must append to the URL the server-specific sessionID token (a ';' is used to indicate this token, as opposed to a '?' for regular query parameters, and the token must come first in the query string) plus the value of the sessionID. When the server receives the request, it will look for this token and try to match it to a pre-existing session. If, however, you are using your own parameter to indicate the sessionID, the server has no way of determining the session and will definitely return false from the isRequestSessionIdValid() > method.
For Tomcat, your URL should look like this:
http://www.mysite.com/myServlets/ someServlet;jsessionid=CAK3413381?someParam=stuff&someOtherParam=moreSt uff
I've used this means to 'trick' servers into accepting a request as part of a session many times, so I can't imagine why it wouldn't work for you...
I believe that some servers also have the option of disabling session recognition via the query string, so make sure it isn't disabled (shouldn't be by default).
hope this helps,
Joe
-------Original Message----- From: teamgasoline [mailto:[EMAIL PROTECTED]] Sent: Friday, January 03, 2003 3:42 PM To: Struts Users Mailing List Cc: Joe Barefoot Subject: Re: obtaining all current sessions in tomcatThank you for your reply Joe. I have tried that and the isRequestedSessionIdValid() method returns false because the user must leave my site, hence they lose the reference to their session. What I am doing is supplying a url to that site that notifies a servlet on my end. To the url I append the session id. In the servlet I want to take that session id (which at this point has no session object it belongs to) and verify that the session is still active on my site for verification of the record. I hope all this makes sense. On Friday, January 3, 2003, at 03:43 PM, Joe Barefoot wrote:This function is part of the servlet API, there's no need to obtain/iterate through the active sessions. The HttpServletRequest can be used: if( request.isRequestedSessionIdValid() ){ dump(request); } else{ ..... }-----Original Message----- From: teamgasoline [mailto:[EMAIL PROTECTED]] Sent: Friday, January 03, 2003 1:34 PM To: [EMAIL PROTECTED] Subject: obtaining all current sessions in tomcat Hello -- This isn't really a struts question, but I have found alot of goodanswers searching this list so I thought this might be an easy one for the smart people here. I have a situation where the user must go to another website to obtain some info. That site then hooks back into mine with a url that I provide, which is a servlet. The problem is I lose thesession objectwhile the user is doing their business at the other site.What I wantto do is verify that this is the same user and dump to a database. Right now I add the session id to the servlet url (whichis called bythe other site when the user is done there), then in the servlet I want to cycle through all the current session id's that tomcat has active (This is just for verification/security). If that current session is present (which it should be) I go ahead withdump, if notother action taken. The question is where do I look forand how do Iget to the active session id's that are currently be usedby tomcat.Thanks for all the help. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
