3

In my Struts application once an user login I need to invalidate the current session and create a new session. I invalidate the session with

getHttpServletRequest().getSession().invalidate();

And I create a new session as 

getHttpServletRequest().getSession(true);

The problem here is after above I try to access getSession() it gives the state invalid exception; HttpSession is invalid.

getSession() returns a map where in my action class I implements SessionAware which has the setSession(Map session).

EDIT: Below is the exception

Error creating HttpSession due response is commited to client. You can use the CreateSessionInterceptor or create the HttpSession from your action before the result is rendered to the client: HttpSession is invalid
java.lang.IllegalStateException: HttpSession is invalid

So, what I assume the problem is the Struts getSession() still reference the session which I've invalidated.

How to make the Struts getSession() to reference the new session which I've created?

maple_shaft
  • 10,435
  • 6
  • 46
  • 74
Harshana
  • 7,297
  • 25
  • 99
  • 173
  • Have you checked the web.xml for the session timeout? – Java_Alert Jun 24 '13 at 08:15
  • Thanks. it sets to 30 – Harshana Jun 24 '13 at 08:30
  • Why do you access the struts session when you invalidated the servlet session? – Roman C Jun 24 '13 at 10:03
  • well its like this. the jsp which the action forward has the s:token tag. Which i assume create a token and try to put it to the session. And this s:token may not access the session via request. That is the point which the edited answer exception throws. – Harshana Jun 24 '13 at 10:35
  • Actually before this s:token issue i put a getSession() statement and when that line execute the session invalidate exception throws. But then i did like setSession(null) and again assign the getSession(map) and print getSession() and then that exception went. And now when when the jsp renders above exception i posted occured because of the s:token – Harshana Jun 24 '13 at 10:40
  • @Harshana Use the struts session in the way I described below, it clean the struts session properly, set the new servlet session into it when renew, and creates new container for the values. – Roman C Jun 24 '13 at 11:00
  • Thank you very much. Can you please describe what is this renewServletSession property. Why you put null there and remove the whole attribute? – Harshana Jun 24 '13 at 11:26
  • When I put the object into struts session it's renew the servlet session if the session attribute of the session map is `null` (it becomes null when invalidate is called on the session map). Also it sets the object as attribute of the servlet session, thus I removed it afterwards when new servlet session is set to the session map. – Roman C Jun 24 '13 at 11:58

1 Answers1

10

If you want to access the struts session after you invalidated the servlet session you should update or renew the struts session. For example

SessionMap session = (SessionMap) ActionContext.getContext().getSession();

//invalidate
session.invalidate();

//renew servlet session
session.put("renewServletSession", null);
session.remove("renewServletSession");

//populate the struts session
session.entrySet();

now struts session is ready to use the new servlet session and you ready to reuse the struts session.

Roman C
  • 49,761
  • 33
  • 66
  • 176
  • The above code should be put after i invalidate the session i took from request right? then it says the session is already invalidated know? What i did is, first i take the session from request and invalidate it. Then add your code which includes a invalidation (for struts session) and Finally create a new session using request – Harshana Jun 24 '13 at 11:41
  • 3
    @Harshana No, you should not invalidate servlet session, you should invalidate struts session, doing that you 1) clean the struts session 2) invalidate servlet session. You should replace the code. Instead of `getHttpServletRequest().getSession().invalidate();` place my code, and don't `getHttpServletRequest().getSession(true)`. – Roman C Jun 24 '13 at 11:49
  • 1
    Thank you Roman. Works like a charm. The whole purpose of above is to fix session fixation. Since it change the original request session id to new one your solution successfully address it too. I change the heading and modify the question in order to highlight the idea of how to invalidate struts session in struts 2 so that other will benefit because your information couldn't found in google. Thanks again. – Harshana Jun 24 '13 at 13:13