Java Request.isRequestedSessionValid() still true after session expires

I am using Spring Security 3.0 and created a custom filter to check for expired sessions.

My problem is that request.isRequestedSessionValid() r开发者_运维百科eturns true in my filter even after I let the session expire or log out. If I try to access any secured page, I do get redirected to my login page so I know that the session management works.

My understanding was that when a web session times out, the session is automatically invalidated and I also set invalidate-session in my logout element of Spring Security. How can the session still be valid? Am I checking the wrong value?

request.isRequestedSessionValid() can itself cause a session to be created, even after logout has been called. Use request.getSession(false) != null to check instead, which will ensure that a session is not created.