java httpsession is valid?_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2023-03-20 10:29 出处：网络

I\'m using the java servlet API in tomcat. I save in a hash table the username and the httpsession with the attribute username and I would like to know if there is a way to check if the httpsession i开

I'm using the java servlet API in tomcat.

I save in a hash table the username and the httpsession with the attribute username and I would like to know if there is a way to check if the httpsession i开发者_JS百科s valid.

I've tried:

try {
    String user = httpSession.getAttribute("username")
    return "is valid";
} catch (IllegalStateException e) {
    return "is not valid";
}

What can I do if I don't want that a "logged" user connect from more than one place? If I control only if I create a new session, I can't know if he was connected already with another session.

No need to store the httpSession in your own hash.

Look at the API for the HttpServletRequest. If you look at method getSession(Boolean x) (pass false so it doesn't create a new session) will determine if the session is valid.

Here is an example

public void doGet(HttpServletRequest req, HttpServletResponse res) {
    HttpSession session = req.getSession(false);
    
    if (session == null) {
       //valid session doesn't exist
       //do something like send the user to a login screen
    }

    if (session.getAttribute("username") == null) {
       //no username in session
       //user probably hasn't logged in properly
    }

    //now let's pretend to log the user out for good measure
    session.invalidate();
}

On a side note, If I read your question properly and you are storing the information in your own map, you need to be careful that you don't create a memory leak and are clearing the entries out of the hash table yourself.

I agree with Sean. I will add that a good practice for this type of checking is to use a Filter

See here Servlet Filter

Just take the code Sean have written and put it in a Filter instead. Define you filter in the web.xml and every time a request come in, the filter will execute.

This way you can validate if the user is auth. without cluttering your servlet code.

Rather than checking if a saved session is valid, you should be looking at the HttpServletRequest on your servlet, and checking isRequestedSessionIdValid() on that. When working in servlets you can always get Session from the Request, rather than saving it to a hash table.