Http Session creation and Destroy events...

HttpSession is one of the commonly used way of identifying users across multiple requests between clients and servers. In order to provide various services such as authentication, authorization etc. for users and to store user information, logging and audit purposes, it is required to keep track of newly created sessions, active sessions and session destroy events. HttpSessionListener interface in servlet API provides methods to receive session events for its implementation classes published by the servlet container.

Lets look at a sample class 'WebSessionListener' which implements "HttpSessionListener" interface.

import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionListener;

public class WebSessionListener implements HttpSessionListener {
    //Notification that a session was created.
    public void sessionCreated(HttpSessionEvent httpSessionCreatedEvent) {
    //Notification that a session is about to be invalidated.
    public void sessionDestroyed(HttpSessionEvent httpSessionDestroyedEvent) {

To receive notification events, the implementation class must be configured, commonly referred as registered  in the deployment descriptor (web.xml)  of the web application as follows.


Any change in active sessions, i.e. Session creation, Session Timeout etc. can be monitored and necessary actions can be performed depending on the requirements.  HttpSession Object can be accessed via session event object which represents event notifications for changes to sessions within a web application.

HttpSession httpSession = httpSessionEvent.getSession();

Both Session invalidation and session timeout(expiry) are notified via same sessionDestroyed event and can't be distinguished using this method.

If you use Spring Security, application context can be accessed using 'context.getBean()' method as follows inside the listner.

 WebApplicationContext context = ContextLoader.getCurrentWebApplicationContext();
 CustomUserBean user= (CustomUserBean) context.getBean("customUser");

In a Spring environment. best practice is to use 'ApplicationListener' interface provided by the spring framework to receive session events.

In order to use ApplicationListner as a session event notifier,

You need to register 'HttpSessionEventPublisher' in the web.xml, which is the event publisher of the spring framework. If you look at the implementation of 'HttpSessionEventPublisher', you will see that it also implements the 'HttpSessionListener' and publish the session events to the Spring Root WebApplicationContext receieved from the servlet container.


Define you bean in the security.xml

Implement 'ApplicationListener' in your implementation.

import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationListener;
import javax.servlet.http.HttpSession;
import org.apache.log4j.Logger

public class WebSessionListener implements ApplicationListener<ApplicationEvent> {
    private static final Logger LOG = Logger.getLogger(WebSessionListener.class);

    public void onApplicationEvent(ApplicationEvent applicationEvent) {
        if(applicationEvent instanceof HttpSessionCreatedEvent){ //If event is a session created event

           HttpSession httpSession = httpSessionDestroyedEvent.getSession(); //get session object
           String sessionId = httpSession.getId(); //get session id
           persistSessionData(sessionId); //save session data to DB
           LOG.debug(" Session is invalidated |SESSION_ID :" + sessionId ); //log data
        }else if(applicationEvent instanceof HttpSessionDestroyedEvent){ //If event is a session destroy event

Thoughts are welcome...

Post a Comment

Popular posts from this blog

How to Use Apache JMeter for Web Services Testing...

Getting started with Apache Zookeeper...