Invalidating a session using session id


For example, if a server supports only cookie-based sessions and a client has completely disabled the use of cookies, calls to the if the session being accessed is invalid.To demonstrate these methods, Example 7-5 shows a servlet that manually invalidates a session if it is more than a day old or has been inactive for more than an hour. Behind the scenes, the session ID is usually saved on the client in a cookie or sent as part of a rewritten URL.All URLs emitted by a servlet should be run through this method.

A server can build on this base to provide additional features and capabilities.

Fortunately for us servlet developers, it's not always necessary for a servlet to manage its own sessions using the techniques we have just discussed.

The Servlet API provides several methods and classes specifically designed to handle session tracking on behalf of servlets.

Note that installing this servlet is a security risk, as it exposes the server's session IDs--these may be used by unscrupulous clients to join other clients' sessions.

The that is installed by default with the Java Web Server 1.1.x has similar behavior.

Finally, you can remove an object from a session with if the session being accessed is invalid (we'll discuss invalid sessions in an upcoming section).

You must have an account to comment. Please register or login here!