request.getSession(false) returns sessions after session.invalidate

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Duplicate
Affects Version/s: 6.0.1
Fix Version/s: None
Component/s: Servlet
Labels:
None
Environment:
Windows, JDK 1.5.06

Number of attachments :
0

Description

The request.getSession(false) method returns an invalid session after the session has already been invalidated.

Example code (inside Filter/Servlet/JSP):

//Create session
HttpSession session = request.getSession();

//Invalidate Session
session.invalidate();

//Re-Get the session (should return null, but does not):
session = request.getSession(false);
if(session != null) {
session.getAttribute("foo"); //Leads to IllegalStateException since returned session is invalidated!!
}

According to the Servlet-API: request.getSession(false) must return null if no valid session for the current request is available.

Activity

Hide

Permalink

Jan Bartel added a comment - 19/Oct/06 7:19 AM

Duplicate of ~~JETTY-141~~. Fix for that applied to 6.0-branch for release in 6.0.2, and also to 6.1 branch.

Show

Jan Bartel added a comment - 19/Oct/06 7:19 AM Duplicate of JETTY-141 . Fix for that applied to 6.0-branch for release in 6.0.2, and also to 6.1 branch.

People

Assignee:

Jan Bartel

Reporter:

Denis Pasek

Vote (0)

Watch (1)

Dates

Created:

16/Oct/06 8:30 AM

Updated:

19/Oct/06 7:19 AM

Resolved:

19/Oct/06 7:19 AM