always only ONE session ?

if I use HttpSession to carry objects through a few JSp pages and servlet, action classes, etc, does request.getSession() always return me with the same session I created in the previous page(s) ? I mean, I want to make sure this session is the same, and more importantly, NOT shared. Do I need to do anything to make sure this assumption is valid ?

You do not create the session -- it is created on your behalf by the container. Yes, it will persist across requests (unless or until it times out), and no, it will not be shared.

Session persistence will be transparent as long as your user has session-cookies set to ON in her browser.

If you want to make sure, the paranoids that have even session-cookies OFF, won't spoil your beautiful concept, then there is a little more work involved.

For this case you have to do a little URL rewriting with the encodeURL of the HttpServletResponse object.

encodeURL

public java.lang.String encodeURL(java.lang.String url)

Encodes the specified URL by including the session ID in it, or, if encoding is not needed, returns the URL unchanged. The implementation of this method includes the logic to determine whether the session ID needs to be encoded in the URL. For example, if the browser supports cookies, or session tracking is turned off, URL encoding is unnecessary.

For robust session tracking, all URLs emitted by a servlet should be run through this method. Otherwise, URL rewriting cannot be used with browsers which do not support cookies.

Parameters:
url - the url to be encoded.
Returns:
the encoded URL if encoding is needed; the unchanged URL otherwise.

In addition to that, make sure you understood, that there are not several instances of you servlet (or jsp page).

There is always exactly _one_ instance and you share this instance with all other current users. Concurrent usage is handled by leading multiple threads through this instance. This can be quite fun if you expect a field to be in the state you left it on your previous visit, but had visitors in the meantime.

J.

Thanks. Now, I am concerned about whether I should use encodeURL() ! The situation for me is --- In the web application I will NOT use any cookie for security reason. My web application is just several JSP pages conncected by some Action classes and a central dispatching servlet. The way I do page switch is to use "forward()" for most of the time and occasionally use "sendRedirect()". Do I really need to use encodeURL and when ?

thanks.

Originally posted by Frank Sikuluzu:
In the web application I will NOT use any cookie for security reason.

I am not sure I understand this requirement. You don't want to use cookies as that is a security threat, but you are fine with placing the same information in the URL?

Ditto. What security risk do you think you are avoiding?