HttpSessionEvent getSession().getId() returning same Id even after session is invalidated on Websphere not on Tomcat

Question

I have a sample Spring MVC application with SessionListener as:

public class SessionListener implements HttpSessionListener {
    public void sessionCreated(HttpSessionEvent e) {
        logger.info("Session created: " + e.getSession().getId());
    }

    public void sessionDestroyed(HttpSessionEvent e) {
        logger.info("Session destroyed: " + e.getSession().getId());
    }
}

and a custom controller as:-

@Controller
public class SessionInvalidateController {
    @RequestMapping("/invalidateSession")
    void clearSession(HttpSession session) {
        session.invalidate();
    }
}

The Conversion Pattern of Log4j.xml file is as to log the session listener events:-

When I hit the /invalidateSession URL from the application. It successfully invalidate the session and I got the logs which got me scratching my head.

The log snippet that I got is:-

Session destroyed: 4c3kpUbJt1zvCeOHWJkxpJY
Session created: 4c3kpUbJt1zvCeOHWJkxpJY

I checked the HttpSessionEvent code which is returning the id from the HTTPSession. Link for the code: http://grepcode.com/file/repo1.maven.org/maven2/javax.servlet/servlet-api/2.4/javax/servlet/http/HttpSession.java#HttpSession.getId%28%29.

Then I ran the same code on Tomcat 7 and I am getting the changed IDs.

Session destroyed: 4C7B0754969FE4EA98E351522C38E79F
Session created: 3BBA7D0968A49446D68E5505B9ECF124

Though the documentation clearly says that:

unique identifier assigned to this session

The question arises here is why this ID is not changing? Am I missing something or this is an expected behavior?

Have a look at the following : [Why session is not null after session.invalidate() in JAVA?](http://stackoverflow.com/questions/24677949/why-session-is-not-null-after-session-invalidate-in-java) and [How to validate/invalidate sessions jsp/servlets?](http://stackoverflow.com/questions/14445024/how-to-validate-invalidate-sessions-jsp-servlets) Hope it helps — Afshin Ghazi, Dec 11 '15 at 12:13
Possible duplicate of [Session ID re-used after call to invalidate](http://stackoverflow.com/questions/6824724/session-id-re-used-after-call-to-invalidate) — andrucz, Dec 11 '15 at 12:17
Is it may be case that as HTTPSession is an interface so the actual implementation depends on the **Server**, which has individual implementations(sure)? I am using the websphere for this Sample code. — Tech Enthusiast, Dec 11 '15 at 12:38
I have verified it on the Tomcat and it is returning the changed ID. — Tech Enthusiast, Dec 15 '15 at 12:08

score 0 · Answer 1 · answered Dec 11 '15 at 12:25

Note if there are ANY references to the session it will not be invalidated and therefore you will get the value. This includes logger.info("Session destroyed: " + e.getSession().getId());

To actually check if the session is null, after session.invalidate();

HttpSession session= request.getSession(false);
if (session!= null && session.getAttribute("loginToken") != null){
   //do something
}

HttpSessionEvent getSession().getId() returning same Id even after session is invalidated on Websphere not on Tomcat

1 Answers1