2

How to generate new session id with out extends HttpServlet class. Is it mandatory to extend HttpServlet class & Is it mandatory to genarate new session id with in doGet method

public class LoginSupport extends ActionSupport {

    public void prepare() {
        HttpSession session = ServletActionContext.getRequest().getSession();
        session.invalidate();
        //How to genarate new session id
    }
}
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
Mapa
  • 61
  • 1
  • 2
  • 12
  • 1
    Another call to `HttpServletRequest#getSession()` should re-create the session and generate a new ID – Phil Feb 21 '18 at 06:27

2 Answers2

3

After calling HttpSession#invalidate(), you can create a new session by calling HttpServletRequest#getSession().

For example

public void prepare() {
    final HttpServletRequest request = ServletActionContext.getRequest();
    request.getSession().invalidate();

    // generate new session (and id)
    final HttpSession newSession = request.getSession();
}

The next HTTP response from your server should include a new session ID, eg

Set-Cookie: JSESSIONID=6a303082951311647336934;path=/

From https://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletRequest.html#getSession--

getSession

HttpSession getSession()

Returns the current session associated with this request, or if the request does not have a session, creates one.

Community
  • 1
  • 1
Phil
  • 157,677
  • 23
  • 242
  • 245
  • It is not working, could you tell me what should i put within prepare method? – Mapa Feb 21 '18 at 07:59
  • 1
    Literally what I have in my answer. – Phil Feb 21 '18 at 08:10
  • I put your code after my code with in prepare method, but It is not working & why do we destroy one session Id twice?? – Mapa Feb 21 '18 at 09:33
  • When I using this method, Value of destroyed session ID is equals to new session ID and I got these errors "ERROR - Servlet.service() for servlet default threw exception" and "java.lang.IllegalStateException: getAttribute: Session already invalidated" – Mapa Feb 22 '18 at 05:36
  • What HTTP container are you using? Jersey, Tomcat, something else? What version? – Phil Feb 22 '18 at 05:39
  • @Mapa that error means you're trying to so something with an an already invalidated session – Phil Feb 22 '18 at 05:40
  • I'm using jboss – Mapa Feb 22 '18 at 05:41
  • 1
    Might be related to this question of mine from a very long time ago ~ https://stackoverflow.com/questions/6824724/session-id-re-used-after-call-to-invalidate. In my research on that, I'd found that JBoss exhibits this behaviour – Phil Feb 22 '18 at 05:42
  • Yes.. within my jboss server.xml file emptySessionPath="true" should it be false – Mapa Feb 22 '18 at 05:43
  • 1
    @Mapa perhaps open another question for that one. I've never used JBoss – Phil Feb 22 '18 at 05:51
3

When on Servlet 3.1 or newer (Java EE 7), just use HttpServletRequest#changeSessionId().

request.changeSessionId();

It won't invalidate the session but just change the value of the JSESSIONID cookie.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555