I currently detect if a user is logged out by searching for null attributes

这也是正常的做法.要检查用户是否已登录,您肯定不会检查servletcontainer是否已创建会话.这根本不代表登录用户.

登录时,只需将用户模型对象放在会话范围中,而不检查容器是否为您创建了会话.换句话说,只使用不带布尔参数的getSession(),以便容器在必要时自动创建,此时您需要会话：

@Override

protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

String username = request.getParameter("username");

String password = request.getParameter("password");

User user = userService.find(username, password);

if (user != null) {

request.getSession().setAttribute("user", user);

response.sendRedirect(request.getContextPath() + "/home");

} else {

request.setAttribute("message", "Unknown login. Please retry.");

request.getRequestDispatcher("/WEB-INF/login.jsp").forward(request, response);

}

}

在访问过滤时,只需检查表示登录用户的会话属性是否存在,此处仅使用getSession(false)以避免不必要的会话创建,否则例如searchbots将触发完全不必要的会话创建：

@Override

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {

HttpServletRequest request = (HttpServletRequest) req;

HttpServletResponse response = (HttpServletResponse) res;

HttpSession session = request.getSession(false);

User user = (session != null) ? (User) session.getAttribute("user") : null;

String loginURL = request.getContextPath() + "/login";

if (user == null && !request.getRequestURI().equals(loginURL)) {

response.sendRedirect(loginURL);

} else {

chain.doFilter(request, response);

}

}

注销时,请确保在invalidate之后发送重定向,因为当前会话仍然可以在转发的响应中使用.

@Override

protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

request.getSession().invalidate();

response.sendRedirect(request.getContextPath() + "/login");

}