How to invalidate session in JSF 2.0?

session jsf-2 httpsession managed-bean session-scope
Niks picture Niks · Apr 11, 2011 · Viewed 87.1k times · Source

What is the best possible way to invalidate session within a JSF 2.0 application? I know JSF itself does not handle session. So far I could find 

private void reset() {
    HttpSession session = (HttpSession) FacesContext.getCurrentInstance()
            .getExternalContext().getSession(false);
    session.invalidate();
}
  1. Is this method correct? Is there a way without touching the ServletAPI?
  2. Consider a scenario wherein a @SessionScoped UserBean handles the login-logout of a user. I have this method in the same bean. Now when I call the reset() method after I'm done with necessary DB updates, what will happen to my current session scoped bean? since even the bean itself is stored in HttpSession?

Answer

BalusC picture BalusC · Apr 11, 2011

Firstly, is this method correct? Is there a way without touching the ServletAPI?

You can use ExternalContext#invalidateSession() to invalidate the session without the need to grab the Servlet API.

@ManagedBean
@SessionScoped
public class UserManager {

    private User current;

    public String logout() {
        FacesContext.getCurrentInstance().getExternalContext().invalidateSession();
        return "/home.xhtml?faces-redirect=true";
    }

    // ...

}

what will happen to my current session scoped bean? since even the bean itself is stored in HttpSession?

It will still be accessible in the current response, but it will not be there anymore in the next request. Thus it's important that a redirect (a new request) is fired after invalidate, otherwise you're still displaying data from the old session. A redirect can be done by adding faces-redirect=true to the outcome, as I did in the above example. Another way of sending a redirect is using ExternalContext#redirect().

public void logout() throws IOException {
    ExternalContext ec = FacesContext.getCurrentInstance().getExternalContext();
    ec.invalidateSession();
    ec.redirect(ec.getRequestContextPath() + "/home.xhtml");
}

Its use is however questionable in this context as using a navigation outcome is simpler.

Related questions

Adding <h:form> causes java.lang.IllegalStateException: Cannot create a session after the response has been committed

I'm facing the following exception in a very simple JSF 2 page after adding <h:form>: java.lang.IllegalStateException: Cannot create a session after the response has been committed at org.apache.catalina.connector.Request.doGetSession(Request.java:2758) at …

Read More
Localization in JSF, how to remember selected locale per session instead of per request/view

faces-config.xml: <application> <locale-config> <default-locale>ru</default-locale> <supported-locale>ua</supported-locale> </locale-config> </application> In a bean action method, I'm changing the locale in the current …

Read More
Check if session exists JSF

I have a login page where I have a User bean to authenticate username and password for a person. This Bean is Session Scoped. If someone writes a URL and tries to jump the login page, how can I check …

Read More