why does the session variable always have a non null value?

Question

A link has "LoginCheck" in href attribute

//LoginCheck.java
protected void processRequest(HttpServletRequest request, HttpServletResponse response)
        throws ServletException, IOException {
    response.setContentType("text/html;charset=UTF-8");
    HttpSession ses = request.getSession(false);

    //Redirects to LoginController.java if there is no session
    if(ses==null){
        RequestDispatcher rd = request.getRequestDispatcher("/LoginController");
        rd.forward(request, response);
    }else{
        PrintWriter out = response.getWriter();
        out.println("Logout to login again!");
    }
}

But it is always displaying "Logout to login again!" even if i invalidate the session first??

Answer 1

Two things

First: If it's possible, always prefer redirecting the client to the target page which is /LoginController rather dispatch the request.
Because some container such as tomcat has some bug with this causes the target page will be responded as ASCII data(just try to print some utf-8 data and see it).
beside this technique will make your business and code complex and it will be hard to maintain if you ask me.

Second: I recommend you do not validate a session by its nullify state, because if you create it somewhere else, this page will see the client as logged person, so you better to set some attribute to a session, maybe like this:

protected void processRequest(HttpServletRequest request, HttpServletResponse response)
        throws ServletException, IOException {
    response.setContentType("text/html;charset=UTF-8");
    HttpSession ses=request.getSession();//let it be always created for this
    boolean logged=ses.getAttribute("logged")==Boolean.TRUE;
    //Redirects to LoginController.java if there is no session
    if(logged){
        response.sendRedirect("/login-controller");
        return;//you cannot do anything with the request/response once it's redirected or forwarded.
    }else{
        PrintWriter out = response.getWriter();
        out.print("Logout to login again!");
    }
}

Later with login form set the logged attribute as true which indicates the user has logged successfully.

Back to your problem:
If you insist to debug the exist code, you need to check all path(servlets, stuffs) a client might call which might create the session. if you are lazy you might have a session listener, and simply have a break-point or showing the stack to see which component creates the session, like following.

public class session_listener implements HttpSessionListener,ServletContextListener {
    public session_listener() {}
    @Override public void sessionCreated(HttpSessionEvent se) {
    //have a break-point and check stack to see who just created the session
}
    @Override
    public void sessionDestroyed(HttpSessionEvent se) {
    //have a break-point and check stack to see who just destroyed the session
    }

    @Override public void contextInitialized(ServletContextEvent sce){}

    @Override public void contextDestroyed(ServletContextEvent sce) {}
}

And simple register the listener in web.xml

<web-app ... >
...
<listener>
        <listener-class>arpit.tomar.session_listener</listener-class>
    </listener>
...
</web-app>

And remember invalidating the session doesn't make the session object null with the same request! no. the response must have fetched by client successfully which informs client to not send the session cookie(if it's cookie) after this, so as your server works concurrent, you may get n requests at one time which all indicates a same session.