Reputation: 2023
JSP session is not null
I'm newbie to JSP and on particular page of my webapp I'm trying to determine whether user is logged in. To do this, I'm checking for session existance. If session does not exist then I will redirect user to the login page.
I'm confused by the fact that the following code
<%
if (null == session)
out.println("session is null");
else
out.println("session is not null");
if (null == request.getSession(false))
out.println("request.getSession() is null");
else
out.println("request.getSession() is not null");
%>
under any circumstances produces the following output:
session is not null request.getSession() is not null
I don't understand why the session exists even when I didn't create it. How do I check whether user is logged in or not?
Thanks in advance.
Upvotes: 2
Views: 7157
Answers (5)
Reputation: 1000
I would like to add one more point on @jdevelop 's answer:
Once you write <%@ page session="false" %> in your JSP page, session object becomes unavailable directly. That is why you will have to use request.getSession(false) (of-course you will have to add null check) to access the session object.
Upvotes: 0
Reputation: 7858
Whenever there is a user surfing your site there will be a session. The check for a user being logged in or not shouldn't depend on "session existence" as they are very different concepts.
You can store a session attribute in your session object at the moment a user logs in and remove it when he/she logs out. But I would recommend to configure a "container based authentication", that way you won't need to store any attribute in the session and the request methods "getUserPrincipal()" and "getRemoteUser()" could be used to know if a user is logged in or not. Besides, that kind of authentication is proven to be more secure and aligned with JavaEE principles.
To get some instructions about how to setup a container managed authentication you can take a look at this other question in SO: Performing user authentication in Java EE / JSF using j_security_check
Upvotes: 2
Reputation: 37
web container holds a unique session identifier for every user session.As a user requests another page in the web application the session identifier is returned to servlet along with the HttpSession object .
HttpSession getSession() - always returns a httpsession object associated with this request if it is valid , in case invalid will create a new session object.
HttpSession getSession(boolean create) - returns a httpsession object associated with this request if it is valid but if invalid then creates a new session object only if "create" input is "true".
Upvotes: 0
Reputation: 153
Instead of checking if the entire session exists, you could make the user a session attribute and check for its existence.
Upvotes: 0
Reputation: 12296
by default, session is created for you by container. For JSP use
<%@ page session="false" %>
to disable session creation on your JSP.
In order to check if user exists, you need to put some token/key in session on server-side after user is logged in. Like
request.getSession().setAttribute("usertoken","authenticated");
and on JSP simply check that attribute exists and not null
if ("authenticated".equals(session.getAttribute("usertoken")) {
// do something
}
Upvotes: 4
Related Questions
- Session Handling is Not working in JSP Page?
- HttpSession is not returning a null session in JSP?
- Java Servlet session shows null value
- Session attribute returns null in Jsp
- JSP Session unsual behavior
- Getting a JSP servlet session, returns a null value
- JSP session problem
- values are empty in session in jsp/servlet
- Session Problem in JSP
- JSP Sessions in If statments