Bug 32832

Summary: request.getSession(false) fails to return null.
Product: Tomcat 5 Reporter: blumm
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: CLOSED FIXED    
Severity: major    
Priority: P2    
Version: 5.5.6   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description blumm 2004-12-23 16:28:21 UTC 
1.Servlet 'a'  includes servlet 'b' from a different context.  
2.Servlets 'b' and 'c' belong to the same context.
3.Servlet 'b' includes servlet 'c'.
4.Servlet 'c' creates a session via request.getSession().
5.Servlet 'c' invalidates the session and returns to servlet 'b'.
6.Servlet 'b' performs request.getSession(false).

I expect that Servlet 'b' gets 'null' returned by getSession(false), but instead
a session object is returned.

Note: If only one web-application is involved (only servlets b and c in same
context), then getSession works as expected. If two web-applications are
involved like described in the scenario, then getSession fails to return null.
Comment 1 Remy Maucherat 2004-12-23 16:35:02 UTC 
Please do not reopen this report. If you disagree with my resolution, please
bring this forward to the servlet specification, and persuade them to make the
necessary specification changes.

BTW, I disagree with what you point out. What you want is actually a shared
session across all contexts. Again, this is a blatant misconception on the part
of the portlet specification and its design, since all the servlet specification
ever said was that a separate session object would be returned for each context,
with no further precisions.
Comment 2 Jan Luehe 2005-01-11 22:22:31 UTC 
I believe this bug has been valid: If the session in the foreign
context has been invalidated, it must not be returned. A comment in
the code actually stated that the current session be returned "if it
exists and is valid", but the isValid() check on the session was
missing, and is being added by this commit.
Also, a session is now created in the foreign context only if 'create' is TRUE.