0

Environment: IBM Websphere Application Server 8.5.5

logout servlet version 1: throws IllegalStateException

protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

        // invalidate current session and create new one to set logout message
        HttpSession session = request.getSession();
        request.logout();
        session.invalidate();
        session = request.getSession(true);
        session.setAttribute("message", "You have logged out successfully.");

    }

Exception:

> [8/20/21 14:51:40:224 SGT] 00000e47 ServletWrappe E
> com.ibm.ws.webcontainer.servlet.ServletWrapper service SRVE0068E: An
> exception was thrown by one of the service methods of the servlet
> [LogoutServlet] in application [FOO]. Exception created :
> [java.lang.IllegalStateException  at
> com.ibm.ws.session.http.HttpSessionImpl.invalidate(HttpSessionImpl.java:302)
>   at com.ibm.ws.session.SessionData.invalidate(SessionData.java:247)
>   at
> com.ibm.ws.session.HttpSessionFacade.invalidate(HttpSessionFacade.java:200)
>   at
> sg.gov.hdb.bp27.servlet.BP27SAuthLogout.doPost(LogoutServlet.java:61)
>   at javax.servlet.http.HttpServlet.service(HttpServlet.java:595)     at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:668) ....

However, if I move request.logout() to the end of the method, no exception thrown. Also, my session attribute "message" is also removed by request.logout()

logout servlet version 2:

HttpSession session = request.getSession();
    session.invalidate();
    session = request.getSession(true);
    session.setAttribute("message", "You have logged out successfully.");
    request.logout();

After research, I thought request.logout does not affect session, why there can be the behavior described above still?

references: logout method doc jsp-session-invalidate-vs-request-logout

Yu Tian Toby
  • 81
  • 6

0 Answers0