Store and invalidate Java HttpSession from different user

Question

Okay. What I want to do is be able to, when I update a user, invalidate any session that they currently have in order to force a refresh of credentials. I don\'t care about bein

Answer 1

Well, as far as I can tell, there's no way around it. Using a request-scoped bean didn't work as I expected (although it did give me good insights into how Spring operates, intercepting field accesses). I ended up using a dirty flag on my SessionHandler (a session-scoped bean) with a very high-priority aspect checking and, if necessary, calling invalidate() on the session in the user's next request. I still ended up having all my SessionHandlers register with a SessionManager, and a @PreDestroy method to unregister them in order to avoid a bunch of null entries in the map.

Answer 2

There's no straight forward way. The easiest way I can think of is to keep a flag on the database (or a cahche) and check it's validity on each request.

Or you can implement a HTTP Session listener and keep a HashMap of user sessions that can be accessed and invalidated.

I haven't tried any of these out so I don't know of any performance issues. But it should be acceptable for most applications.