The getSession method will create a session if none currently exists
© Copyright Marcus Green 2007
4.2) Given a scenario describe the APIs used to access the session object, explain when the session object was created, and describe the mechanisms used to destroy the session object, and when it was destroyed.
The most common version of the getSession method of the HttpSession interface is the zero parameter version, which will either return any existing session or attempt create a new one if none currently exists. It may also be called with a parameter of false, as in
session.getSession(false)
Which will return any existing session, or a null value if there is no existing session with this client.
|
|
The getSession method will create a session if none currently exists |
If you want to deliberately invalidate a users session you can call the invalidate method of an HttpSession object. According to the API spec this
Invalidates this session then unbinds any objects bound to it.
An example of where you might want to do this is if you have a button in your web app that logs a user out of the system. By invalidating the session another user cannot simply access that web terminal and return to the application without logging in. Note that closing a web browser does not automatically invalidate a session, as the web application can only set state according to the last HTTP request, and closing a browser does not cause any requests to be sent.
The idea of an HTTP session is a bit of an illusion. The fact that the web browser is still part of a session is only confirmed each time a request is made to the server. If you access a page that starts a session and then go off for a four hour lunch, should the session still considered to be alive? What about if you start a session on a Friday night and go away for a long weekend, should the session still be alive?. There is no real way for a server to know if you are still “using the session”.
To get around this limitation the JSP/servlet technology includes the concept of a session time out, which can be set either via an attribute in the deployment descriptor or via a call to the setMaxInactiveInterval method. To set the timeout via the deployment descriptor the following tags can be placed under the web-app tag.
<session-config> <session-timeout>30</session-timeout> </session-config>
The number within the <session-timeout> tag sets the value in minutes. Thus in the above example if the client makes no requests for 15 minutes the session will be invalidated. If the browser makes a request that makes assumptions about the session it will not be valid.
|
|
<sesion-timeout> uses minutes, setMaxInactiveInterval uses seconds |
To set the time out within JSP code the following call will work.
sesion.setMaxInactiveInterval(1800);
This code will have the same effect as the example with the deployment descriptor because the parameter to setMaxInactiveInterval is in seconds unlike the <session-timeout> parameter which is interpreted as minutes.
Other sources
API docs for HttPServletRequest
http://java.sun.com/j2ee/1.4/docs/api/javax/servlet/http/HttpServletRequest.html
This objective according to Mikalai Zaikin
http://java.boot.by/wcd-guide/ch04s02.html