I am planning on holding a list of the HttpSessions of authenticated users in an application-scope bean. When they log out I will remove the HttpSession from the list and invalidate it.
what happens when the HttpSession times out? If it is in my ArrayList, or HashMap, can it be invalidated properly? Will I just end up with a null value at that place in the List?
You're planning hold the list of the HttpSessions in an application-scope bean, for store beans with state on your session, objects stored need be Serializable. Its a requirement ... however Tomcat sometimes optimize and not serialize this values for best performance, "sometimes", on real world with concurrent users maybe you get stranger behaviors and NotSerializableExceptions.
Above is Tomcat specific behavior, on robust AppServers like: WebSphere, Sun ONE App Server, WebLogic your code never work, and throw exceptions whenever you run it.
On event session 'destroyed' your session has been invalidated. Definitively store your HttpSessions on application-scope-bean is not viable.
What do you mean 'beans with state'? Why does it need to be serializable?
I've tested some simple code and was able to kill all sessions except my own by clicking a button, it seemed to work fine and I didn't get any exceptions or anything.
Can anyone verify that I'll have problems?
If this WILL cause problems, what's an alternative to keep track of all of the open sessions and make them available to my bean handling logins? I can't think of anything else but I would appreciate any *working* ideas!
