More doubts about session control

[pajarokillo]

Hi, i follow having doubts about the session control. I do the session control in the next method:

protected boolean processPreprocess(HttpServletRequest request,HttpServletResponse response){
HttpSession session = null;
UserContainer user = null;

super.processPreprocess(request,response);

session = request.getSession(false);
try{
if (session != null){
doForward((moduleConfig.findForwardConfig(IConstants.SESSION_EXPIRADA)).getPath(),request,response);
}
}
catch(IOException ex){
log.error("ERRORRRRRRRRRRRRRRRRRRRRRRRRRRRRRR: " + ex.getMessage());
}
catch(ServletException ex){
log.error("ERRORRRRRRRRRRRRRRRRRRRRRRRRRRRRRR: " + ex.getMessage());
}

return true;

}

Good, so my question is the following:
when i do request.getSession(false) it always return a HttpSession object, but when the session has expired and i do request.getSession(false) it must return null, no?, and then my session control doesn't work good.

How i can do a good session control?

 

[byam]

some application servers will automatically create a session if incoming request doesn't already have one. So by the time you call request.getSesssion(false), a session has already been created.

One way to validate if a session is to check for a token, which is added to user session upon sucessful user authentication. So in stead of check if request has a session, you should check if user session have a valid authentication token.

Here is a example how to authenicate user using JAAS

http://www.theserverside.com/articles/article.tss?l=JAAS

you may not need to use JAAS, but it give you some idea, how authentication and authorization can be done.

Hope this will give you some idea.