Java servlet session - how to test for a valid session in a servlet
By Alvin Alexander on October 17, 2012
When you're writing Java web applications -- for example, an application like a discussion forum -- you end up writing Java servlets where you need to know if the user accessing your servlet has a valid Java servlet session established. If they have a valid servlet session established, you might do one thing in your servlet code, but if they don't have a valid servlet session, you might handle their request differently.
For example, the devdaily.com blog used to run on a pure Java servlet and JSP framework, and we had a very basic user authentication approach. For blog visitors (readers) and other bots (like search engine spiders) we did not create a Java session, but for users that went through the login process, we did create a Java servlet session for them, and kept a number of objects in their session, including basic user information.
I don't know how common this approach is these days (only creating a servlet session for users that have gone through a login process), as every marketing person seems to want to track information about everyone, including site visitors. But when I originally wrote that blog code (back in 1999), I had no interest in tracking visitors (and I personally still don't). Earlier this year I wrote an application for a client using JSF and JAAS, but unfortunately I don't remember if we did anything to access the servlet session.
Checking for a valid Java servlet session
Getting back to the purpose of testing for the existence of a valid Java servlet session ... if you're writing Java servlet code, and you want to test to see if the user has a valid Java servlet session, just call the getSession method of the HttpServletRequest class, making sure you pass a false parameter in with that method call to make sure your call does not create a new session:
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException
{
// don't do anything unless there is a valid servlet session.
// be sure to pass 'false' in with this method call.
HttpSession session = request.getSession(false);
if (session == null)
{
System.err.println("FileUploadServlet, session was null, just returning.");
return;
}
// your other business logic code is down here ...
}
That false parameter can be a big gotcha, and I highly recommend reading the Javadoc for this HttpServletRequest getSession method. For example, here's a clip from that Javadoc:
Returns the current HttpSession associated with this request or, if there is no current session and create is true, returns a new session. If create is false and the request has no valid HttpSession, this method returns null.
Servlet session - discussion
As you can see from that example Java servlet session code, to test for the existence of a valid servlet session, all you have to do is call the getSession method of your request object (an HttpServletRequest) with a false parameter in the doGet or doPost method, and test to see if that session reference you get back is null. If it is null, the user does not have a valid servlet session, so you can just return at that point, or add logic to do whatever else you want. And if you do get back a valid Java servlet session, you can then proceed to do whatever you want with that servlet session object.
As I mentioned above, in modern Java frameworks like Struts 2 and JSF, you may not need to know anything about the traditional Java servlet session, but if you're writing old-fashioned Java servlets and JSP code, you can use this technique to test for the existence of a valid Java servlet session.
related
- How to test for a valid user session in a JSP
- How to put an object on the request in a servlet
- JSF HttpSession - How to access the servlet session from JSF
- A Hello World servlet
- How to forward from a Java servlet to a JSP
- Servlet forward example - How to forward from a servlet to a JSP
- Java servlet example - HttpServletRequest, getPathInfo, and getRequestURI
- Servlet redirect example - redirecting from a servlet to a JSP
- Tomcat, pathinfo, and servlets
- JSP CGI - A JSP that prints the equivalent of CGI variables
Warning: Article and example code do NOT do user authentication
The article and code proposes that checking for a session in a servlet does user authentication. It does NOT and the example code segment is incorrect. Whether a user is logged in or not is NOT indicated by the existence of a session. Sessions can be created without the need for a user being logged in. User authentication CAN be done with information saved in the session using several different techniques (not detailed here). Additionally, the code example uses: request.getSession() which *always* returns a session (provider the servlet container has sessions it can create (does not execeed a config limit).
The way to check for a session without creating one is with:
Reference: http://java.sun.com/javaee/5/docs/api/javax/servlet/http/HttpServletRequ...
Thank you for your
Thank you for your comments. I have corrected the code segment above by adding 'false' to the getSession method call I showed. That was definitely an error.
I'll try to explain the rest of my logic, and the limits of my approach, by updating this article this morning.
Okay, I have updated this
Okay, I have updated this servlet session article now, and hopefully I have clarified my intent. Thanks again for the comments.
Post new comment