Bug 32832 - request.getSession(false) fails to return null.
Summary: request.getSession(false) fails to return null.
Status: CLOSED FIXED
Alias: None
Product: Tomcat 5
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 5.5.6
Hardware: PC Linux
: P2 major (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-12-23 16:28 UTC by blumm
Modified: 2006-06-11 18:04 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description blumm 2004-12-23 16:28:21 UTC
1.Servlet 'a'  includes servlet 'b' from a different context.  
2.Servlets 'b' and 'c' belong to the same context.
3.Servlet 'b' includes servlet 'c'.
4.Servlet 'c' creates a session via request.getSession().
5.Servlet 'c' invalidates the session and returns to servlet 'b'.
6.Servlet 'b' performs request.getSession(false).

I expect that Servlet 'b' gets 'null' returned by getSession(false), but instead
a session object is returned.

Note: If only one web-application is involved (only servlets b and c in same
context), then getSession works as expected. If two web-applications are
involved like described in the scenario, then getSession fails to return null.
Comment 1 Remy Maucherat 2004-12-23 16:35:02 UTC
Please do not reopen this report. If you disagree with my resolution, please
bring this forward to the servlet specification, and persuade them to make the
necessary specification changes.

BTW, I disagree with what you point out. What you want is actually a shared
session across all contexts. Again, this is a blatant misconception on the part
of the portlet specification and its design, since all the servlet specification
ever said was that a separate session object would be returned for each context,
with no further precisions.
Comment 2 Jan Luehe 2005-01-11 22:22:31 UTC
I believe this bug has been valid: If the session in the foreign
context has been invalidated, it must not be returned. A comment in
the code actually stated that the current session be returned "if it
exists and is valid", but the isValid() check on the session was
missing, and is being added by this commit.
Also, a session is now created in the foreign context only if 'create' is TRUE.