I want to invalidate sessions of users based on some Event. I store their sessionID, how to get their HttpSession from this ID? The HttpSessionContext class is deprecated with no replacement.
+3
A:
The methods that are already doing this are deprecated. But you can implement the your idea useing HttpSessionListener, when a new session is created store it in a HashMap with session id as a key and object is actual HttpSessionObject. You can get the reference by this.
Niger
2009-08-09 13:11:36
Yes I can do that.But I am writing application for a big website with millions of users. Storing these id/sessions in a map will not be wise.I need to get the session from the Container itself, the container knows more about how to store them.
Bahaa Zaid
2009-08-09 13:14:07
Storing the object meaning you are not going to store the actual object. Only the reference got stored. So the storage will be minimal.
Niger
2009-08-09 13:17:00
I understand. But What if the Container serialize less frequently used sessions to DB/File System?? I don't know how WebLogic deal with these sessions.I will use this solution as the final one if I couldn't find straight way to retrieve the session directly from the container.
Bahaa Zaid
2009-08-09 13:27:34
Ok If you want to maintain the session object to be persistence then i suggest to maintain the same key(sessionID) ,value (httpsession) in DB. The right choice to use Berkeley DB for this scenario.
Niger
2009-08-09 14:08:32
If you use this approach you'll want to make sure the entries in the Map don't live forever - otherwise this might have unintended memory leaks / issues with GC. Possibly use a WeakMap or WeakReference
matt b
2009-08-09 14:30:29
I agree with matt.Anyway this is a hack still.
Bahaa Zaid
2009-08-09 21:38:05
It is a hack, yes, but so is trying to get the Session from the Session ID. That's not supported by the container, so trying to get around it is already a hack. Using a WeakHashMap isn't making things any worse.
skaffman
2009-08-10 07:35:55
+2
A:
Servlet 2.2 specifically deprecated this for security reasons so there shouldn't be any official way to do this. Not recommended but you can can try to use Manager.findSession() if you use Tomcat.
I just removed HttpSession from my application. It's really hard to keep sessions in sync when many servers are running. We tried to tweak it by writing our own manager but can never get it work right. Finally, we wrote our own session implementation with about 500-lines of code and it works much better.
ZZ Coder
2009-08-09 13:44:51