HttpSession

Hi, I am confused with the HttpSession object. It is sent from the client through HttpServletRequest. But how does the servlet identify a HttpSession object to track the user session? In other words, how does servlet know that the HttpSession object is from a particular client in order to do the tracking?
Thanks!

Hi,
The Server (Servlet), with every HTTPSession, places a cookie on the client. The Client returns this cookie which is identified by the servlet... thus retrieving the HTTP Session object. This special cookie's value is set by the Servlet automatically whenever a HTTP Session is made, and this value is UNIQUE.
AM I RIGHT - ANYONE?
regards...
nutan

Originally posted by nutan prakash:
Hi,
The Server (Servlet), with every HTTPSession, places a cookie on the client. The Client returns this cookie which is identified by the servlet... thus retrieving the HTTP Session object. This special cookie's value is set by the Servlet automatically whenever a HTTP Session is made, and this value is UNIQUE.
AM I RIGHT - ANYONE?
regards...
nutan

Close, but not right. The servlet does not send the cookie. The servlet CONTAINER sets the session id and sends the cookie. The cookie contains the session id. When the client makes another connection, it returns the cookie, the servlet container extracts the session id and uses that to retrieve the correct session when the servlet calls getSession(boolean).

Originally posted by Kevin Mukhar:
Close, but not right. The servlet does not send the cookie. The servlet CONTAINER sets the session id and sends the cookie. The cookie contains the session id.

If the client has cookies disabled (or does not support them), this scheme falls apart. But your servlet container may support URL rewriting to include the session ID as part of the URL. This works with any browser.
However, URL rewriting also takes some effort on your part because it only works if you call HttpServletResponse.encodeURL(String) faithfully for every URL you write out.
- peter

Originally posted by Peter den Haan:
If the client has cookies disabled (or does not support them), this scheme falls apart. But your servlet container may support URL rewriting to include the session ID as part of the URL. This works with any browser.
However, URL rewriting also takes some effort on your part because it only works if you call HttpServletResponse.encodeURL(String) faithfully for every URL you write out.
- peter

Minor nit...in addition to the servlet container, the web server may also support URL rewriting. The Apache webserver is still faster (and theoretically safer) at serving static content than the Jakarta Tomcat webserver/container, so I compiled mod_rewrite into Apache to allow the session ID to be "tracked" across dynamic and static pages.

"Diskmuncher",
The Java Ranch has thousands of visitors every week, many with surprisingly similar names. To avoid confusion we have a naming convention, described at http://www.javaranch.com/name.jsp . We require names to have at least two words, separated by a space, and strongly recommend that you use your full real name. Please choose a new name which meets the requirements.
Thanks.