request.getSession is not returning same session

Question

Our product is developed in Spring 3.0 MVC.

We have used, session as follows in controllers.

  @Controller
  public class LoginController{
     HttpSession session;

     @RequestMapping(value="/index.htm",method = RequestMethod.POST)
     public ModelAndView viewIndex(HttpServletRequest request){
     session=request.getSession(false);
     System.out.println(request.getSession(false));
     System.out.println(session);   
     }
  }

Here in Firefox, i can see both request.getSession(false) and session are printed with same value.

While in IE, i can see request.getSession(false) prints a value and session is printed as null.

What could be the reason?

Note: I am not using any filter for session

Answer 1

You should never assign request or session specific variables as a field of a class of which there's only one instance throughout the entire application's lifetime. All the webpage visitors would then share the same variable. Visitor X would then share the session with visitor Y. This is a huge data integrity leak.

As to grabbing the session, if you need the session, just use request.getSession() straight without the boolean. Do not assign it to some field for "later reuse".

@RequestMapping(value="/index.htm",method = RequestMethod.POST)
public ModelAndView viewIndex(HttpServletRequest request){
    HttpSession session = request.getSession();
    // ... Get/set attributes?
}

For more background information about how servlets works under the covers (Spring MVC is a framework which is built on top of the basic Servlet API), you may find this post useful: How do servlets work? Instantiation, sessions, shared variables and multithreading.