2

I have a legacy application using JSPs and Servlets and deployed in WebSphere.

I create a new session on the server side by doing

Session session = request.getSession();
System.out.println(session.getSessionId());

This will create a new session for me. I print the sessionid.

Now I invalidate this session and then create a new session and try to print the new session id for the new session.

session.invalidate()
Session session = request.getSession();
System.out.println(session.getSessionId());

The second creation did create a new session object as it passes the isnew() test. But the second session also prints the same sessionId.

I thought the sessionId was unique. Should the second session have the same sessionId as the first one?

Gas
  • 17,601
  • 4
  • 46
  • 93
Npa
  • 617
  • 2
  • 15
  • 26
  • look: http://stackoverflow.com/questions/6824724/session-id-re-used-after-call-to-invalidate – Rafael Zeffa Feb 24 '15 at 20:08
  • Your second snippet shouldn't even work: `Session session = request.getSession();` should not compile if you'd really declared `session` before – kolossus Feb 25 '15 at 21:53

4 Answers4

2

WebSphere may reuse session IDs in one of these 2 situations:

  • HttpSessionIdReuse property of session manager was explicitly configured to true
  • session persistence is enabled

It's not a bug, your sessions are still unique, it's just the ID that is being reused. There are some valid reasons to do so, but it may also cause weird behaviour in applications which assume that session ID is always being regenerated.

Marcin Płonka
  • 2,840
  • 1
  • 17
  • 17
2

Websphere Session Manager will reuse a SessionID in the creation of a new HTTP session in certain circumstances,

Set "UseInvalidatedId" to the value of "false" in JVM to renew the session ID

http://www-01.ibm.com/support/docview.wss?uid=swg21179195

venom
  • 21
  • 2
0

Your second snippet shouldn't even work: Session session = request.getSession(); should not compile if you'd really declared session before and if that's the case, you're simply reusing the same session variable from earlier, resulting in the repetition of the session id;

kolossus
  • 20,559
  • 3
  • 52
  • 104
0

Which WAS version are you running? You must be doing something wrong as I'm running 8.5.5.3 and it works perfectly fine.

I have the following code:

    HttpSession session = request.getSession();
    System.out.println("1: " + session.getId());
    session.invalidate();
    session = request.getSession();
    System.out.println("2: " + session.getId());
    session.invalidate();
    session = request.getSession(true);
    System.out.println("3: " + session.getId());
    session.invalidate();
    session = request.getSession(false);
    System.out.println("4: " + ((session == null)?"Null":(""+session.getId())));

which produces the following output:

[] 00000078 SystemOut     O 1: 3Mg4G9_ykUlsWA3zb2jroLM
[] 00000078 SystemOut     O 2: jY912QW4elk_-7Tbr-5_RHz
[] 00000078 SystemOut     O 3: mEeXsmodb7pKtuK-wu48joQ
[] 00000078 SystemOut     O 4: Null
Gas
  • 17,601
  • 4
  • 46
  • 93