How can administrator invalidate sessions other than his own?

Kevin Schaaf

I know that HttpSessionContext is deprecated with no replacement, but is there a work-around if an administrator wants to be able to delete sessions? I can get him a list of the sessions open, but can't find a way to invalidate them... cannot find any way to get a handle on a session other than the getSession method of HttpRequest, which of couse will be the administrator's own... is this just impossible now?


If you're using a Servlet 2.3 container, create a HttpSessionListener that puts each new Session object in a Collection on sessionCreated() and takes it out on sessionDestroyed(). Your administrator user can retrieve that Collection (you would probably want store it in the Application Context), and do things with the Sessions like list them, invalidate them, etc.