protected Principal checkSessionAuthentication(final HttpServletRequest request) throws FrameworkException { String requestedSessionId = request.getRequestedSessionId(); HttpSession session = request.getSession(false); boolean sessionValid = false; if (requestedSessionId == null) { // No session id requested => create new session AuthHelper.newSession(request); // we just created a totally new session, there can't // be a user with this session ID, so don't search. return null; } else { // Existing session id, check if we have an existing session if (session != null) { if (session.getId().equals(requestedSessionId)) { if (AuthHelper.isSessionTimedOut(session)) { sessionValid = false; // remove invalid session ID from user invalidateSessionId(requestedSessionId); } else { sessionValid = true; } } } else { // No existing session, create new session = AuthHelper.newSession(request); // remove invalid session ID from user invalidateSessionId(requestedSessionId); } } if (sessionValid) { final Principal user = AuthHelper.getPrincipalForSessionId(session.getId()); logger.log( Level.FINE, "Valid session found: {0}, last accessed {1}, authenticated with user {2}", new Object[] {session, session.getLastAccessedTime(), user}); return user; } else { final Principal user = AuthHelper.getPrincipalForSessionId(requestedSessionId); logger.log( Level.FINE, "Invalid session: {0}, last accessed {1}, authenticated with user {2}", new Object[] {session, (session != null ? session.getLastAccessedTime() : ""), user}); if (user != null) { AuthHelper.doLogout(request, user); } try { request.logout(); request.changeSessionId(); } catch (Throwable t) { } } return null; }