CDI SessionScoped Bean generating lots of sessions

0
votes

I'm doing a login. The problem is: my isUserLoggedIn() method is called several times by other sessions (i've checked using (HttpSession) FacesContext.getCurrentInstance().getExternalContext().getSession(false)).

The Login bean (of a JSF page) is this:

@Named
@SessionScoped
public class Login implements Serializable {

    @Inject
    private Credentials credentials;

    private UserData user;

    public String login() {
        if (this.credentials.getUsername().equals("daniel")) {
            user = new UserData("Daniel");
            return "success";
        }
        return "failure";
    }

    public boolean isUserLoggedIn() {
        return user != null;
    }

    public String logout() {
        user = null;
        ((HttpSession) FacesContext.getCurrentInstance().getExternalContext().getSession(false)).invalidate();
        return "success";
    }

    public String getUsername() {
        return getUser() == null ? "" : getUser().getUsername();
    }

    @Produces
    public UserData getUser() {
        return user;
    }
}

So, what happens is: when login() is called, I can see via getSession() that it is X, but then, afterwards while trying to access another page, when calling isUserLoggedIn(), the getSession() method returns Y instead of X, and the user attribute is null. Frequently the isUserLoggedIn() method is called several times with just 1 request, and it's session changes each time it is called.

By the way, I'm using JBoss AS7 Final, and my faces-config.xml is the following:

<?xml version="1.0" encoding="UTF-8"?>
<faces-config version="2.0" xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="         http://java.sun.com/xml/ns/javaee         http://java.sun.com/xml/ns/javaee/web-facesconfig_2_0.xsd">

    <navigation-rule>
        <from-view-id>/login.xhtml</from-view-id>
        <navigation-case>
            <from-action>#{login.login}</from-action>
            <from-outcome>success</from-outcome>
            <to-view-id>/secured/home.xhtml</to-view-id>
            <redirect />
        </navigation-case>
        <navigation-case>
            <from-action>#{login.login}</from-action>
            <from-outcome>failure</from-outcome>
            <to-view-id>/login.xhtml</to-view-id>
            <redirect />
        </navigation-case>
    </navigation-rule>
    <navigation-rule>
        <from-view-id>/*.xhtml</from-view-id>
        <navigation-case>
            <from-action>#{login.logout}</from-action>
            <from-outcome>success</from-outcome>
            <to-view-id>/login.xhtml</to-view-id>
            <redirect />
        </navigation-case>
    </navigation-rule>
</faces-config>

Any ideas? Thank you.

1
sessionjsfcdisession-scope
This question is not really answerable without a bit of debugging work at your own. Key point is that either your client doesn't support cookies or that you're recreating the session on every request. First step would be to check with a HTTP traffic checker like Firebug what happens to the session cookies. Does the server return a new Set-Cookie on every response? Or does the client decline to return Cookie on every request? That should help in nailing down the culprit.BalusC
Thanks for the answer, Balusc. After some time back there I discovered that the problem had to do with the url path. The cookie was generated for a path and when changing the path and trying to access the session, it was generated another one.dgimenes

1 Answers

1
votes

After some time back there I discovered that the problem had to do with the url path. The cookie was generated for a path and when changing the path and trying to access the session, it was generated another one.

Anyway, I discovered that this is definitely NOT the way to secure Java EE apps (see Java EE 6 manual), so I'm going other way.

Thanks.