I opened the session in my servlet when the user performed a successful login:
HttpSession session = request.getSession(true);
session.setAttribute("name", name);
then I wrote in the logout.jsp to terminate the session:
<%session.invalidate();%>
To check if a session is valid I am doing this:
HttpSession session = request.getSession();
String name = (String) session.getAttribute("name");
But it is not working, I am getting the session valid even after the session.invalidate. Does anyone understand where am I doing wrong?
you should call session.getSession(false) - which returns null if there is no current session.
according to docs
HttpSession#getSession(boolean create)- create - true to create a new session for this request if necessary; false to return null if there's no current session.
So the correct way of session value check would -
HttpSession session = request.getSession(false);
if(session!=null)
session.setAttribute("name", name);
and once you invalidate the session -
HttpSession session = request.getSession(false);
if(session!=null)
session.invalidate();
To Validate the Session
HttpSession session = request.getSession(true);
session.setAttribute("name", name);
To invalidate it you need to do
session.removeAttribute("name");
session.invalidate();
But you need to keep one thing in mind that the object may became invalid but this doesnot mean that it will cleaned immediately, even after invalidating it after all its attributes gone it is possible that sesssion object will get reused, I got the same user ID and creation time.
来源:https://stackoverflow.com/questions/14445024/how-to-validate-invalidate-sessions-jsp-servlets