Java servlet session - how to test for a valid session in a servlet

When you're writing Java web applications -- for example, an application like a discussion forum -- you end up writing Java servlets where you need to know if the user accessing your servlet has a valid Java servlet session established. If they have a valid servlet session established, you might do one thing in your servlet code, but if they don't have a valid servlet session, you might handle their request differently.

For example, the devdaily.com blog used to run on a pure Java servlet and JSP framework, and we had a very basic user authentication approach. For blog visitors (readers) and other bots (like search engine spiders) we did not create a Java session, but for users that went through the login process, we did create a Java servlet session for them, and kept a number of objects in their session, including basic user information.

I don't know how common this approach is these days (only creating a servlet session for users that have gone through a login process), as every marketing person seems to want to track information about everyone, including site visitors. But when I originally wrote that blog code (back in 1999), I had no interest in tracking visitors (and I personally still don't). Earlier this year I wrote an application for a client using JSF and JAAS, but unfortunately I don't remember if we did anything to access the servlet session.

Checking for a valid Java servlet session

Getting back to the purpose of testing for the existence of a valid Java servlet session ... if you're writing Java servlet code, and you want to test to see if the user has a valid Java servlet session, just call the getSession method of the HttpServletRequest class, making sure you pass a false parameter in with that method call to make sure your call does not create a new session:

public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException
{
  // don't do anything unless there is a valid servlet session.
  // be sure to pass 'false' in with this method call.
  HttpSession session = request.getSession(false);
  if (session == null)
  {
    System.err.println("FileUploadServlet, session was null, just returning.");
    return;
  }
  
  // your other business logic code is down here ...
}

That false parameter can be a big gotcha, and I highly recommend reading the Javadoc for this HttpServletRequest getSession method. For example, here's a clip from that Javadoc:

Returns the current HttpSession associated with this request or, if there is no current session and create is true, returns a new session. If create is false and the request has no valid HttpSession, this method returns null.

Servlet session - discussion

As you can see from that example Java servlet session code, to test for the existence of a valid servlet session, all you have to do is call the getSession method of your request object (an HttpServletRequest) with a false parameter in the doGet or doPost method, and test to see if that session reference you get back is null. If it is null, the user does not have a valid servlet session, so you can just return at that point, or add logic to do whatever else you want. And if you do get back a valid Java servlet session, you can then proceed to do whatever you want with that servlet session object.

As I mentioned above, in modern Java frameworks like Struts 2 and JSF, you may not need to know anything about the traditional Java servlet session, but if you're writing old-fashioned Java servlets and JSP code, you can use this technique to test for the existence of a valid Java servlet session.

Permalink

The article and code proposes that checking for a session in a servlet does user authentication. It does NOT and the example code segment is incorrect. Whether a user is logged in or not is NOT indicated by the existence of a session. Sessions can be created without the need for a user being logged in. User authentication CAN be done with information saved in the session using several different techniques (not detailed here). Additionally, the code example uses: request.getSession() which *always* returns a session (provider the servlet container has sessions it can create (does not execeed a config limit).

The way to check for a session without creating one is with:

request.getSession(false);

Reference: http://java.sun.com/javaee/5/docs/api/javax/servlet/http/HttpServletRequest.html#getSession%28%29

Add new comment

The content of this field is kept private and will not be shown publicly.

Anonymous format

  • Allowed HTML tags: <em> <strong> <cite> <code> <ul type> <ol start type> <li> <pre>
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.