For HttpServletRequest#changeSessionId, we would like to consider the
case when there is no HttpSession.
In this case, I recommend to propose to throw IllegalStateException.
The javadoc is as follows:
/**
* Change the session id of the current session associated with this
* request and return the new session id.
*
* @return the original session id
*
* @throws IllegalStateException if there is no session associated
* with the request
*
* @since Servlet 3.1
*/
public String changeSessionId();
Shing Wai Chan
On 7/10/12 11:49 AM, Mark Thomas wrote:
> On 10/07/2012 07:02, Remy Maucherat wrote:
>> On Mon, 2012-07-09 at 13:52 -0700, Shing Wai Chan wrote:
>>> Hi,
>>>
>>> Before EDR, there were discussions about the adding a API to change session.
>>> Let me summarize what we have discussion:
>>>
>>> I. change session id API - three options was discussed
>>> A. add API to HttpSession
>>> String changeId(); // return the id
>>> B. add API to HttpSession
>>> a. String changeId(HttpServletRequest req);
>>> b. String changeId(HttpServletRequest req, HttpServletResponse res);
>>> C . add API to HttpServletRequest
>>> String changeSessionId();
>>>
>>> My preference would be (c).
>> +1
> +1. Both session and request will need updating and this is easier to do
> starting from the request.
>
>>> II. event - three options are discussed
>>> A. add API to HttpSessionListener // will break backward compatibility
>>> a. void sessionIdChanged (HttpSessionEvent se);
>>> b. void sessionIdChanged(HttpSessionEvent se, String oldSessionId);
>>> B. add attribute javax.servlet.http.session.id attribute
>>> and notify using
>>> javax.servlet.http.HttpSessionAttributeListener#attributeAdded,
>>> #attributeReplaced
>>> C. add a new listener, HttpSessionIdListener
>>> void sessionIdChanged(HttpSessionEvent se, String oldSessionId);
>>>
>>> I prefer (c).
>> Another listener type has a cost, but B is bad and A is not possible. So
>> C looks the best of the three options here.
> +1.
>
> Mark