This content has been marked as final. Show 3 replies
Apparently you're asking about Java EE web applications (you didn't post in any relevant forum so that's my guess).
After the user signs on successfully, create a session attribute which contains a User object (or a String containing the user ID, or whatever you need). And when the user signs off, remove that session attribute. Then on subsequent requests, you can just check to see if that attribute exists. If it does, then you know the user is signed on and you know who they are.
With this simple and straightforward design you don't need to mess with the isRequestedSessionIdValid method.