[Bug ?] ADFC-00008 again, after session.invalidate() in ADF BC application

Similar Messages

• Logged Out session can be accessed again After logout (DAD authentication)

  Hello,
  Please find the details of my problem below:
  SCENERIO:
  Current Authentication: No Authentication (USING DAD)
  Authorization: MYAUTH
  Frequency: Once Per Session
  declare
  lv_retval boolean;
  lv_srec pkg_myutil.r_sessionrectype;
  begin
  begin
  -- This is NOT Apex Session. I am checking the entry in a table to make sure user is logged in
  -- and the link is not opened directly. In short making sure user opened the Apex link from the
  -- Oracle Forms application.
  lv_srec :=pkg_myutil.get_session_info(:P1_SID);
  if lv_srec.valid_session then
  lv_retval := TRUE;
  else
  lv_retval := FALSE;
  end if;
  exception
  when others then
  lv_retval := FALSE;
  end;
  return lv_retval;
  end;
  The Application Security property Authorization is set to : MYAUTH
  Logout Navigation Bar Entries-URL TARGET: http://myapp.mycompany.com/pls/apex/apex_custom_auth.logout?p_this_app=105&p_next_url=http://mycompany.com
  ( I cannot put this in the Authentication Logout URL as using -DATABASE- as sentry function (DAD authentication) gives me error: No functional attributes may be set when page sentry function is '-DATABASE-'.))
  so i directly modified the navigation bar entry
  Now I open the apex link from my forms application, and it Works fine. For example
  http://myapp.mycompany.com/pls/QRYONLYDAD/f?p=105:1:2524984933940261::NO::P1_SID:0137099300:
  The authorization function takes the P1_SID value and checks in database,finds the entry so returns TRUE to display the page 1 which i call Menu page.
  If I click logout, it works and takes me to the Mycompany home page.
  My question:
  If save that link and try to access it again AFTER LOGOUT, it still displays the page. Although the session is logged out, how come it still allows to access the page? The authorization function also doesn't fire which would have prevented it atleast. How APEX knows it still a valid session even after logout happens?
  I can see that Since there is DAD authentication, the login happens automatically........ but I cannot change that method. What other option do i have?
  Please help.
  Jay

  1.) Code for the function:
  Basically we are using a private DBMS_PIPE to pass a randomly generated string and read that pipe from Apex using get_session_info. Nothing to do with Apex Session. We just want to make sure the user opened the Apex link from the application.
  function get_session_info (p_session_id varchar2) return pkg_myutil.r_sessionrectype is
  rv_sessionrec eft.pkg_myutil.r_sessionrectype;
  lv_status NUMBER;
  lv_app_id varchar2(20);
  lv_EMPID VARCHAR2(20);
  lv_timeout BINARY_INTEGER := 0; --A timeout of 0 allows you to read without blocking. otherwise the pipe will keep waiting and our purpose won't be solved
  lv_rmstatus number;
  begin
  begin
  -- Valid Session theme: If the pipe doesnot exist means the url is not requested from inside the Forms application.
  lv_status := DBMS_PIPE.RECEIVE_MESSAGE(p_session_id,lv_timeout);
  IF lv_status <> 0 THEN
  raise_application_error(-20003,'Error while receiving.Status = ' || lv_status);
  END IF;
  DBMS_PIPE.UNPACK_MESSAGE(lv_app_id);
  DBMS_PIPE.UNPACK_MESSAGE(lv_EMPID);
  if lv_EMPID is null then
  raise_application_error(-20004,'User EMPID is null in the session info.');
  end if;
  -- construct return record
  rv_sessionrec.session_id:=p_session_id;
  rv_sessionrec.valid_session :=TRUE;
  -- remove pipe
  lv_rmstatus:=DBMS_PIPE.REMOVE_PIPE(p_session_id);
  if lv_rmstatus <> 0 then
  null; -- think what to do
  end if;
  exception
  when others then
  rv_sessionrec.session_id:=p_session_id;
  rv_sessionrec.valid_session :=FALSE;
  end;
  return rv_sessionrec;
  end get_session_info;
  2.) I guess you are right. But doesn't Apex use the Userid and password hardcoded in the DAD? because it displays the username in DAD on the page footer. But It will authenticate everytime. So I want to put another layer so that my pipe verification code executes everytime which can decide whether to show the page or redirect to a error page.
  If i put in a On-Load Before Header Process on Page 1 with the pl/sql code, is there a way there to redirect to different page? I couldn't think of a way to do it. Then i can remove the code from authorization scheme and add to the On-Load process?
  Does this help any?
  Thanks for your prompt response.
  Thanks,
  Jay

• [svn] 1502: Bug: BLZ-148 - Repeat invocation of invalidate() on HttpFlexSession throws java.lang.IllegalStateException: invalidate: Session already invalidated

  Revision: 1502
  Author: [email protected]
  Date: 2008-04-30 16:36:53 -0700 (Wed, 30 Apr 2008)
  Log Message:
  Bug: BLZ-148 - Repeat invocation of invalidate() on HttpFlexSession throws java.lang.IllegalStateException: invalidate: Session already invalidated
  QA: Yes
  Doc: No
  Ticket Links:
  http://bugs.adobe.com/jira/browse/BLZ-148
  Modified Paths:
  blazeds/branches/3.0.x/modules/core/src/java/flex/messaging/HttpFlexSession.java

• ViewExpiredException issue with session invalidate on IE9

  Hi guys,
  I have posted this on the ADF forum as well as I'm not sure of the root cause is JHeadstart related or not - but I thought I would check also here to see if anyone else has encountered this ...
  I'm using JDeveloper 11.1.1.6 (JHeadstart 11.1.1.4.26) and having problems when calling "session.invalidate();" with my custom JhsAuthenticationFilter. If i log on and immediately log out (so no web.xml timeout which is set to 25 min) - The message shown on screen is
  "Because of inactivity, your session is timed out and is no longer active. Click on OK to reload the page"
  In the log files, the following error is thrown
  <BindingContext> <put> [3126] Replacing: null with: XXXXX_UIShellPageDef
  <StateManagerImpl> <restoreView> Could not find saved view state for token -a6jozll3a
  <LifecycleImpl> <_handleException> ADF_FACES-60098:Faces lifecycle receives unhandled exceptions in phase RESTORE_VIEW 1
  javax.faces.application.ViewExpiredException: viewId:/pages/UIShell.jspx - ADF_FACES-30107:The view state of the page has expired.  Reload the page.
       at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._restoreView(LifecycleImpl.java:751)
       at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:374)
       at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:194)
       at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
       at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
       at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
       at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:205)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:106)
       at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446)
       at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)
       at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446)
       at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:271)
       at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:177)
       at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at hmdclinical.pulse.view.PulseAuthenticationFilter.doFilter(PulseAuthenticationFilter.java:273)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
       at java.security.AccessController.doPrivileged(Native Method)
       at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
       at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:442)
       at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
       at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
       at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
       at java.security.AccessController.doPrivileged(Native Method)
       at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
       at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:442)
       at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
       at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
       at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:139)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
       at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
       at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
  <ADFLogger> <addContextData> Execute queryI have the web.xml parameter org.apache.myfaces.trinidad.CLIENT_STATE_MAX_TOKENS set to 15.
  This ONLY happens when using IE9 - using Firefox or Chrome it's not a problem. I'm guessing something is trying to access the page def after the token for the view has already been removed as part of the session.invalidate() ?
  How can I find out what the root cause is and why is this only a problem with IE and not Chrome or Firefox ?
  Any help greatly appreciated !!
  Cheers,
  Brent

  Brent,
  I think it is best to make a very simple testcase without JHeadstart (you can cust and paste code from the jhs auth fillter as needed) and then attach your testcase to the post on JDev forum, or copntact Oracle support.
  Looks like a browser-specific ADF bug to me.
  Steven Davelaar,
  JHeadstart Team.

• Urgent!! Problem in using session invalidate()

  Dear all,
  I think may be the problem has been posted here before, but i can't find the solution yet. I hope you can help me about this.
  My case is that i wrote a logout servlet for my web site. So i use session.invalidate() in the servlet. After that it will redirect to the home page again. At this time, NullPointerException is thrown. I have tried many ways to solve this problem, but still failed.
  Can anyone help me? Thanks for advanced.
  Priscilla

  here is the error printed out:
  java.lang.NullPointerException
       at com.sssw.srv.http.CommonLogger.log(CommonLogger.java:217)
       at com.sssw.srv.http.httpd.log(httpd.java:4229)
       at com.sssw.srv.http.Client.log(Client.java:254)
       at com.sssw.srv.http.Client.loop(Client.java:1300)
       at com.sssw.srv.http.Client.runConnection(Client.java:1495)
       at com.sssw.srv.http.Client.run(Client.java:1442)
       at java.lang.Thread.run(Thread.java:479)

• Are beans also destroyed with session invalidate()?

  Hi,
  I have a login JSP which creates a new session and puts the username into it.
  My other JSP's also have page session=true, and each of them uses a bean. For example,
  <jsp:useBean id="transferbean" class="transactions.transferBean" scope="session"/>
  My logout JSP calls session.invalidate() and returns the user to the login page.
  My question is- does the session.invalidate() call also destroy the transferbean data? The user will not close his browser window after logging out- he may choose to log in again as a different user. Will he have a new transferbean created for him, or will the previous transferbean data persist?
  Thanks
  Luanne

  This is almost my case... I have a page called index.jsp which holds the session variables;
  <jsp:useBean id="ValidationBean" scope="session" class="com.nbdesigns.beans.nbstore.Validation" />
  <jsp:useBean id="OrderBean" scope="session" class="com.nbdesigns.beans.nbstore.Order" />If you start to shop, the orderbean holds your order. When you checkout you have to register or log in, in both cases the cart will be deleted.
  All pages are included in the index.jsp with the <%include page="" %> tag.
  Any ideas why the editing of values in validationbean causes the values in orderbean to be deleted?

• ADFC-00008: DataControlFframe has not been found by ADF controller.

  The original error is given in Spanish. In the subject I have tried to translate it to english, but the meaning is the same.
  When running my application, every time it raises an uncontrolled error (FileNotFound or any other java exception, for example) I can not continue working with it because every thing I try to do with it raises always this error message (ADFC-00008). I have to restart the application and then it is ok.
  I think this is a nomal behaviour of ADF because it also happens in other aplications but that bothers my users a lot .
  Could I solve it creating an Exception method in my task flow ? or any other solution ?

  Hi,
  in general you can add exception handlers to all task flows that catch the exception and go an educated redirect. However, this doesn't really help the user as it seems that he/she cannot access the functionality they need. I haven't heard about the problem you describe (at least I am not aware of a bug in this regards). You did not mention the JDeveloper version but since this is a production system I encourage you to create a reproducible testcase and file a service request with support. An application that is deployed should bot complain about missing files at runtime because files are not created per session but per application.
  Frank

• Session.removeAttribute and session.invalidate

  I pass a scoped object from one JSP #1 to JSP #2 in a session.
  In JSP #1, I did:
         <c:set var="cr" value="${articleForm.creator}" scope="session"/>In JSP #2, I did:
        <bean:define id="author" name="cr" scope="session" type="java.lang.String"/>
        <html:text property="receiver" value="<%=author%>" size="82" maxlength="25" tabindex="1"/>Immediately after I output the value, I want to remove the object from the session. I have two questions:
  1. which one of the following should I do:
         session.removeAttribute( "cr" );or
         session.removerAttribute( "author" );or
         session.removeAttribute( "receiver" );2. Do I have to invalidate the session; i.e. session.invalidate(); after all the objects in the session are removed?

  I pass a scoped object from one JSP #1 to JSP #2 in a session.
  In JSP #1, I did:
         <c:set var="cr" value="${articleForm.creator}" scope="session"/>In JSP #2, I did:
        <bean:define id="author" name="cr" scope="session" type="java.lang.String"/>      <html:text property="receiver" value="<%=author%>" size="82" maxlength="25" tabindex="1"/>Immediately after I output the value, I want to remove the object from the session. Which one of the following should I do:
         session.removeAttribute( "cr" );or
         session.removerAttribute( "author" );or
         session.removeAttribute( "receiver" );

• Session.invalidate works on tomcat but not in WebSphere Server

  I'm trying to figure out a .jsp written by another developer in WS Studio.
  The page does this:
  session = request.getSession(false);
  session.setMaxInactiveInterval(5);
  then almost immediately, does this:
  session.invalidate();
  In Tomcat, I get the "session already invalidated" error message I would expect. However, In WS Server, the rest on the page loads, and I can continue to interact with the application. I'm using IE 6.0, sp2.
  The "session.setMaxInactiveInterval(5);" call seems to have no effect in either container; al least, the application never times out.
  The most important thing for my purposes is to be able to invalidate the session in websphere. How can I fix this? Thanks!

  duffymo wrote:
  Is the machine that you ran this simple java class on the same one where you're >deploying the web app?Same machine where my sql connections bug. I just copypasted it into a file in tomcat5.5/webapps directory and then compiled it and used it from there. I used it from command line.
  duffymo wrote:
  how well do you know jsps, tomcat, and web apps? sure it's deployed properly? if you >put in a simple jsp and invoked it via tomcat, would you be able to do it?Dont know jsps well. :) Essentially my jspservlet thingie works normally on my computer through my tomcat and on other computers which have netbeans etc... It compiles .war file and ive copied that .war file to the target server's tomcat webapps directory, then when I access the website of my jspservlet tomcat unpacks it and shows my jsp pages normally if they have no sql components. So at least jsp pages are working... :)
  "minor modifications"? sure those are right? you wouldn't be the first programmer to fool >themselves by saying "it's the same code - except for X."
  try you "minor modifications" on the command line, too.First I used with main on command line, then removed main etc... and included it into my project.

• Issue with session.invalidate() in OC4J

  Ok, here's the thing- I've got a servlet that autogenerates
  pages to the client via XSL; so far so good. However whenever
  the login page is displayed, we would like to "logout" the
  current user if there is one and start fresh, as it were. All of
  our persistent data is stored via the user's session object so
  we are doing something like this:
  public void doGet( HttpServletRequest request) {
  HttpSession session = request.getSession();
  // Some misc. stuff happens here;
  // Nothing is written to the session, however
  if ( page == LOGIN_PAGE) {
  session.invalidate();
  session = request.getSession();
  String info = session.getAttribute( "INFO");
  As soon as we request the attribute, after performing the
  session invalidation & re-obtaining a new session the system
  bails with an IllegalStateException: Session invalidated
  exception.
  Note that the exact same code works under the Sun Reference
  Implementation (Apache Groups Tomcat 4.0) and is pretty much
  verbatim from Jason Hunter's book Java Servlet Programming 2nd
  Edition pg. 220.
  Any ideas for a fix and/or workaround?

  Hi
  This works, here is a sample I've run on OC4J
  public class SessionTestServlet extends HttpServlet
  private static final String CONTENT_TYPE = "text/html";
  HttpSession sess = null;
  private static boolean login_page = true;
  public void init(ServletConfig config) throws ServletException
  super.init(config);
  public void doGet(HttpServletRequest request,
  HttpServletResponse response) throws ServletException,
  IOException
  sess = request.getSession(true);
  try
  if (login_page)
  if(sess != null)
  sess.invalidate();
  sess = request.getSession(true);
  sess.setAttribute("name","kalle");
  catch(Exception e)
  e.printStackTrace();
  response.setContentType(CONTENT_TYPE);
  PrintWriter out = response.getWriter();
  out.println("<html>");
  out.println
  ("<head><title>SessionTestServlet</title></head>");
  out.println("<body>");
  out.println("<p>Session: "+ sess+"<p>Name: "+
  sess.getAttribute("name"));
  out.println("</body></html>");
  out.close();
  Regards
  //Mike

• Urgent: session invalidate problem

  Guys:
  Has anyone had a issue with session.invalidate() using weblogic 8.1.
  we have vignette portal and weblogic 8.1.
  the problem i have noticed is session.getId retunrns a extra timestamp string in the end. And i am thinking since this changes the entire sessionid, it does not get invalidated. I tried adjusting the weblogic.xml's idlength session-param to 52 but this still happens after that. can anyone suggest any insights. i am unable to kill the session and hence the user is always logged in. the only way is to close to broswer window.

  here is the error printed out:
  java.lang.NullPointerException
       at com.sssw.srv.http.CommonLogger.log(CommonLogger.java:217)
       at com.sssw.srv.http.httpd.log(httpd.java:4229)
       at com.sssw.srv.http.Client.log(Client.java:254)
       at com.sssw.srv.http.Client.loop(Client.java:1300)
       at com.sssw.srv.http.Client.runConnection(Client.java:1495)
       at com.sssw.srv.http.Client.run(Client.java:1442)
       at java.lang.Thread.run(Thread.java:479)

• Web logic Session Invalidate

  hi,
  i developed j2ee code in eclipse and using tomcat server ver. 4.1. after completing the code, i uploaded the war file into web logic server. In weblogic server when i click on "LogOut" the server is also shutting down along with the page. but this is not happened with TOMCAT.
  my invalidation code is
  if (event.equals(Constant.EVENT_LOGOFF)) {
       /* invalidate the session and forward to logout url */
                                session.invalidate();
                                System.out.println("url logoff -> " + logoutUrl);
                                response.sendRedirect(logoutUrl);
  please tell me what could be the problem.
  thanks
  Ananda

  Hi,
  To set these values you can use "plan.xml" which is not part of your application physically. Only u need to have a weblogic.xml file in your application ....even it may be empty...because you can add the Tags functionality on the fly without editing your application.....
  Please refer to:
  http://jaysensharma.wordpress.com/2009/12/16/updating-cookiename-using-plan-xml/
  http://jaysensharma.wordpress.com/2009/11/29/shared-library-with-plan-xml/
  http://jaysensharma.wordpress.com/2010/03/24/changing-context-root-of-an-ear-app-using-plan-xml/
  Thanks
  Jay SenSharma

• Portlet question- session.invalidate()- with weblogic

  Guys:
  Has anyone had a issue with session.invalidate() using weblogic 8.1.
  we have vignette and weblogic 8.1.
  the problem i have noticed is session.getId retunrns a extra timestamp string in the end. And i am thinking since this changes the entire sessionid, it does not get invalidated. I tried adjusting the weblogic.xml's idlength session-param to 52 but this still happens after that. can anyone suggest any insights. i am unable to kill the session and hence the user is always logged in. the only way is to close to broswer window.
  session id:
  F1z2YTQMyD3Yy1Xs4VBHyq3M7LWVfYMnvWJgYLnrR3cPYnKL9NW9!-682555724!1170191618061
  any help will be appreciated..thanks.
  Harsh

  i havent gone to weblogic support yet. Want to check
  if anyone of us might have seen a similar issue.I haven't used weblogic in a while. I doubt many people here have. I would suggest you ask on a weblogic forum. This is a java forum.

• Wireless Guest Users once authenticated, are able to connect again after disconnection

                     Wireless Guest Users once authenticated, are able to connect again after disconnection .Clients should not able to connect after the restart or by disabling and enabling the WIFI adapter. But as of now clients are connecting to network . How we can configure this feature in WLC ?

  IIRC, if your reboot, disable the adapter or disconnect from the wireless, as long as the session timer or the idle timer does not timeout, then you are still considered as authenticated. If you logout, the wlc logs you off and you will have to log back in. The wierd thing is with iPhones or iPads, they go to sleep mode and you have to log back in to access the guest network. The workaround was to increase the idle timers to a certain acceptable limit to prevent this from happening.
  If you disconnect from the guest SSID and leave your client off the network until the idle timer expires, do you get prompted for a login or do you have access again?
  Sent from Cisco Technical Support iPhone App

• Session.invalidate()

  Hi Techies,
  I am new to servlet, can any one please explore what happens internally when we call session.invalidate().
  whether it removes the session completely?
  thanks in advance.

  Nitin.V wrote:
  if (session != null) {
                 session.invalidate();
                 RequestDispatcher rd = req.getRequestDispatcher(LOGOUT_URL);
                  rd.forward(req, res);
  System.out.println(session);in the last line i am still getting the value of this session.
  what i am expecting is, it should print null value after being invalidating but i am getting session value.
  could you please explore this.
  No, you shouldn't get null. The session you are referencing still exists, it is just invalid. Any further call to getSession(false) will return null, but the current reference still exists. If you want to get null in the current page/servlet then set your variable "session" to null (which does nothing to the actual session object, it simply removes your reference to it) after you call invalidate. I stressed after, because if you simply set your variable to null, the session itself, will still be valid.