HttpServletRequest returns wrong session?
149 views
Skip to first unread message
philipp....@gmail.com
Sep 8, 2009, 4:11:16 AM9/8/09
to Google Web Toolkit
Hi,
for a GWT application, I need a user management servlet, thus I am
setting an attribute for a session in which the current user is stored
(like this:
HttpSession session = getThreadLocalRequest().getSession(true);
session.setAttribute("user", "myUserName");
Now, I do have a different service, which I use to display some data.
When I click on a button on the client side, the data is displayed
correctly -- in about 59 of 60 cases. If I click the button often
enough, at one point, the following code will _not_ work:
HttpSession session = getThreadLocalRequest().getSession();
String userName = (String) session.getAttribute("user");
and at this point, userName suddenly is null!
As I said, most of the time, the code above works, but sometimes, it
doesn't... Why?
Also: I have printed the session id to the screen: It is correct (i.e.
always the same) as long as the above code works, but in the failure
case, the session id suddenly is different (although I am positive
that I neither started a new session nor asked GWT to do so...).
Any ideas? Do you need more information? What am I doing wrong?
Thanks for your help!
Philipp
for a GWT application, I need a user management servlet, thus I am
setting an attribute for a session in which the current user is stored
(like this:
HttpSession session = getThreadLocalRequest().getSession(true);
session.setAttribute("user", "myUserName");
Now, I do have a different service, which I use to display some data.
When I click on a button on the client side, the data is displayed
correctly -- in about 59 of 60 cases. If I click the button often
enough, at one point, the following code will _not_ work:
HttpSession session = getThreadLocalRequest().getSession();
String userName = (String) session.getAttribute("user");
and at this point, userName suddenly is null!
As I said, most of the time, the code above works, but sometimes, it
doesn't... Why?
Also: I have printed the session id to the screen: It is correct (i.e.
always the same) as long as the above code works, but in the failure
case, the session id suddenly is different (although I am positive
that I neither started a new session nor asked GWT to do so...).
Any ideas? Do you need more information? What am I doing wrong?
Thanks for your help!
Philipp
Sri
Sep 8, 2009, 7:54:10 PM9/8/09
to Google Web Toolkit
GWT doesn't do anything with the session, so it is strange you are
facing such a problem.
Perhaps you could make a simple servlet/jsp (independent of gwt) which
prints the same information as above (ie. sessionid and user object),
and access the URL via a browser. If you are seeing the same behaviour
(session id changing), then you would have eliminated GWT from being
the culprit.
On Sep 8, 4:11 am, "philipp.bouil...@gmail.com"
facing such a problem.
Perhaps you could make a simple servlet/jsp (independent of gwt) which
prints the same information as above (ie. sessionid and user object),
and access the URL via a browser. If you are seeing the same behaviour
(session id changing), then you would have eliminated GWT from being
the culprit.
On Sep 8, 4:11 am, "philipp.bouil...@gmail.com"
philipp....@gmail.com
Sep 9, 2009, 3:05:45 AM9/9/09
to Google Web Toolkit
Ok, I will try that. Thanks for your answer.
In the meantime, I had experimented a little and I found that I could
use a cookie to store the current user/encoded password combination
and, if the failure case occurs, I "re-authenticate" the user from the
information in the cookie and bind the user to the new session. This
works -- I don't really understand, why the problem occured in the
first place, but at least I do have a workaround now. For those
interested, here is the relevant snippet:
Call this, whenever a user authenticates (or in a more general case:
Whenever you assign data to a session):
private final void updateCookies(String login, String hash) {
Cookie cLogin = new Cookie("userName", login);
Cookie cPwd = new Cookie("userPassword", hash);
int maxAge;
String path = getThreadLocalRequest().getContextPath();
maxAge = 60 * 60 * 24 * 30; // 1 month
cLogin.setMaxAge(maxAge);
cPwd.setMaxAge(maxAge);
cLogin.setPath(path);
cPwd.setPath(path);
getThreadLocalResponse().addCookie(cLogin);
getThreadLocalResponse().addCookie(cPwd);
}
To read the cookie-data:
protected AuthUser getAuthUserFromCookies () {
Cookie[] cookies = getThreadLocalRequest().getCookies();
String loginName = null;
String password = null;
if (cookies != null) {
for (int i = 0; i < cookies.length; i++) {
Cookie cookie = cookies[i];
String name = cookie.getName();
String value = cookie.getValue();
if (name.equalsIgnoreCase("userName")) {
loginName = value;
} else if (name.equalsIgnoreCase("userPassword")) {
password = value;
}
}
}
System.err.println("Examining cookie: " + loginName + ", " +
password);
// Snip: The following omitted code authenticates the user using a
password hash
return successfullyAuthenticatedUser;
}
So now, it's down to the failure case:
public final synchronized UserSession getUserSession() throws
SessionExpiredException {
HttpSession session = getSession();
synchronized (session) {
UserBinding userBinding = (UserBinding)session.getAttribute
(SESSION_USER);
if(userBinding == null) {
System.err.println("Session cookie expired; re-authenticating
user...");
AuthUser user = getAuthUserFromCookies();
if (user != null) {
UserSession userSession = new UserSession(user, session.getId());
bindUserToSession(userSession, session);
// Be sure to update the
cookie here, again; otherwise you'll run into problems
// the next time the session
is different.
updateCookies(user.getLoginName(), user.getPassword());
}
userBinding = (UserBinding)session.getAttribute(SESSION_USER);
if (userBinding == null) {
throw new SessionExpiredException("Session expired!");
}
}
return userBinding.getUserSession();
In the meantime, I had experimented a little and I found that I could
use a cookie to store the current user/encoded password combination
and, if the failure case occurs, I "re-authenticate" the user from the
information in the cookie and bind the user to the new session. This
works -- I don't really understand, why the problem occured in the
first place, but at least I do have a workaround now. For those
interested, here is the relevant snippet:
Call this, whenever a user authenticates (or in a more general case:
Whenever you assign data to a session):
private final void updateCookies(String login, String hash) {
Cookie cLogin = new Cookie("userName", login);
Cookie cPwd = new Cookie("userPassword", hash);
int maxAge;
String path = getThreadLocalRequest().getContextPath();
maxAge = 60 * 60 * 24 * 30; // 1 month
cLogin.setMaxAge(maxAge);
cPwd.setMaxAge(maxAge);
cLogin.setPath(path);
cPwd.setPath(path);
getThreadLocalResponse().addCookie(cLogin);
getThreadLocalResponse().addCookie(cPwd);
}
To read the cookie-data:
protected AuthUser getAuthUserFromCookies () {
Cookie[] cookies = getThreadLocalRequest().getCookies();
String loginName = null;
String password = null;
if (cookies != null) {
for (int i = 0; i < cookies.length; i++) {
Cookie cookie = cookies[i];
String name = cookie.getName();
String value = cookie.getValue();
if (name.equalsIgnoreCase("userName")) {
loginName = value;
} else if (name.equalsIgnoreCase("userPassword")) {
password = value;
}
}
}
System.err.println("Examining cookie: " + loginName + ", " +
password);
// Snip: The following omitted code authenticates the user using a
password hash
return successfullyAuthenticatedUser;
}
So now, it's down to the failure case:
public final synchronized UserSession getUserSession() throws
SessionExpiredException {
HttpSession session = getSession();
synchronized (session) {
UserBinding userBinding = (UserBinding)session.getAttribute
(SESSION_USER);
if(userBinding == null) {
System.err.println("Session cookie expired; re-authenticating
user...");
AuthUser user = getAuthUserFromCookies();
if (user != null) {
UserSession userSession = new UserSession(user, session.getId());
bindUserToSession(userSession, session);
// Be sure to update the
cookie here, again; otherwise you'll run into problems
// the next time the session
is different.
updateCookies(user.getLoginName(), user.getPassword());
}
userBinding = (UserBinding)session.getAttribute(SESSION_USER);
if (userBinding == null) {
throw new SessionExpiredException("Session expired!");
}
}
return userBinding.getUserSession();
Reply all
Reply to author
Forward
0 new messages