We have the requirement of going to Vendor login page from the main application. If the session is valid then the data selected in the main application is visible in the Vendor page are we are storing the data in session. For Handling this, in Tomcat we had below code in the starting of Vendor login jsp.

request.getSession().invalidate();

We are migrating now to Websphere Application Server. The same code is not working in WAS. We are getting IllegalStateException. Somewhere I read that WAS handles session through cookies. So IllegalStateException is thrown if session is already invalidated.

I changed the code to as below for WAS: userId is the user id which I am saving in session in the main application.

if ((request.getSession() != null) && (request.getSession().getAttribute("userId") != null)) { // Old session
    request.getSession().invalidate();
}

Even if control is going inside the if condition, it is giving IllegalStateException. For our requirement I have one alternative to remove all session parameters in the starting of vendor login jsp, so that nothing is passed. But for that I have to remove each parameter (almost 20 are there) one by one. And also in future any new parameter I will save in session, I have to update this jsp.

Is there any solution to invalidate the entire session first if it's old?

We solved the issue with the following code.

<%@page session="false"%>

<%
   HttpSession session = request.getSession();
   if (session!=null) {
      session.invalidate();
   }
%>

We added this code in both the main login jsp and vendor login jsp. So each time the jsp is loaded the automatic creation of HTTP session is eliminated (http://docs.oracle.com/cd/A97688_16/generic.903/bp/j2ee.htm#1008677). Then we create a session explicitly. This code now works perfectly in Websphere Application Server.

After some research it looks like that should be ok.

  HttpSession session = req.getSession(false);
    if(session == null){
       //valid session doesn't exist
       //do something like send the user to a login screen
    }
    if(session.getAttribute("username") == null){
       //no username in session
       //user probably hasn't logged in properly
    }

    //now lets pretend to log the user out for good measure
    session.invalidate();

Here is the link

I didn't try, but you could try something like that.

if ((request.getSession() != null) && 
            (request.isRequestedSessionIdValid()) { 
    request.getSession().invalidate();
}