Session invalidation means session destroying.So if session is destroyed,it indicates that server cant identify the client which has visited in previous.So now it creates a new session id for that client.

Is this right?If wrong tell me the correct procedure.

3 Answers

Calling HttpSession.invalidate() simply clears any object that is bound to it and marks it as invalid, so if you try to modify it afterward it will throw exceptions.

Once a session has been invalidated, the SessionID placed in a cookie on the client will be invalid too, and a new one will have to be created when a new session object is created. So the new Session will have a new ID.

This is usefull to handle for example login/logout. Sessions should always be invalidated at login to help prevent Session fixation attacks

3

Yes, absolutely right. Invalidating a session will mark the session as invalid and will be destroyed. If the client comes with the session id which has been invalidated a new session will be created.

3

session.inValidate():

If we are logging into gmail then at server side server will create session object

If we are calling session.inValidate() method means we are logged out since session object is destroyed by the server.

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password Submit

Post as a guest

Post Your Answer Discard

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge that you have read and understand our privacy policy and code of conduct.