question on session management

protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { PrintWriter out = response.getWriter(); response.setContentType("text/html"); out.write("<HTML><HEAD>"); out.write("<TITLE>Session Aspects</TITLE>"); out.write("</HEAD><BODY>"); HttpSession session = request.getSession(); out.write("<BR />" + session.isNew()); out.write("<BR />" + request.isRequestedSessionIdFromURL()); out.write("<BR />" + request.isRequestedSessionIdFromCookie()); out.write("</BODY></HTML>"); }

given the above code - and give this circumstance -
"the servlet is called for the second time by the client"
of the following combinations ( return values of the three methods in the above code), which are possible for this circumstance -

1. T T F
2. T F F
3. T F T
4. F T T
5. F T F
6. F F T

as per my opinion, since the servlet is being called for the 2nd time,
the isNew( ) should return false. so 4,5,6 are the answers
but the answer given is 2.
please explain. thanks in advance

Reference - David Bridgewater book chapter 4 question 1

What does it say about cookie support and url rewriting ?

nothing

the circumstance given in code is -

'the sevlet is called for the second time by the client'

thats it

this questions is from hanumant deshmukh book chapter 8 test

session.isNew()

will always return true whether session is newly created or there exist a session already

The answer will be 2 if servlet browser doesn't support cookies..

Cookie will not be set since browser doesn't support cookies (assumption) and also container will not get session id from URL since no URL was encoded. So, even in second request server thinks the request was from different client and creates new session..

it doesnt make any sense to me, what you all guys are saying.

i think the question is not that clear !

and how can we assume (the circumstance doesnt say anything) that cookies are disabled and URL encoding is not doe in code ???

so, i think the question is incomplete in itself

it doesnt make any sense to me, what you all guys are saying.

i think the question is not that clear !

and how can we assume (the circumstance doesnt say anything) that cookies are disabled and URL encoding is not doe in code ???

so, i think the question is incomplete in itself

so, i think the question is incomplete in itself

I agree

Hi,
I ran this code and here are the results:

Window 1
1st time: TFF
2nd time(and subsequent refreshes): FFT

Window 2(opened a new window and copied the same URL)
1st time: TFF
2nd time(and subsequent refreshes): FFT

Note: cookies enabled on my browser.

My Conclusion: When I open a window, container starts a new session.It adds session id in the form of cookies so when I refresh, container retrieves the session. This is how 1st & 3rd print's show. Since URL rewriting is not being done, the 2nd print statement always prints false.

Please comment on my understanding if I am correct.

Thanks and regards,
Saurabh Kumar

thanks a lot saurabh.

Well, since the client is visiting for the second time, the isNew( ) should return false ( If we assume that session management is possible either because of cookies/ URL ). So, with this assumption, 4,5,6 are the answers.This is also proved by saurabh�s 2nd and 4th screen shots above.
Now isRequestedSessionIdFromURL( ) and isRequestedSessionIdFromCookie( ) both cant return T at the same time.This is because, though both cookies are enabled and URL is done, the container will use only one of them.
So we rule out 4. So 5 and 6 are possible, in light of the given circumstance and our assumption.

But isNew( ) will return true ( if we assume that session management isn�t possible as both cookies are disabled && URL encoding is also not done ). So, with this assumption 1,2,3 are possible answers. Again, in light of our assumption, we select only 2 ( ruling out 1 & 3 in which the 2nd last outputs toggle between T and F.This contrasts our assumption.Since no session management is possible, the two methods will return false always which is shown in 2nd option only)

So, we are left with 2, 5 and 6. I guess, if the book says, that �2� is the answer, the circumstance should rather say �

�the servlet is called for 2nd time by the client and cookies as well as URL is not possible�

Hope this makes sense.
Thanks.

thanks a lot saurabh.

Well, since the client is visiting for the second time, the isNew( ) should return false ( If we assume that session management is possible either because of cookies/ URL ). So, with this assumption, 4,5,6 are the answers.This is also proved by saurabh�s 2nd and 4th screen shots above.
Now isRequestedSessionIdFromURL( ) and isRequestedSessionIdFromCookie( ) both cant return T at the same time.This is because, though both cookies are enabled and URL is done, the container will use only one of them.
So we rule out 4. So 5 and 6 are possible, in light of the given circumstance and our assumption.

But isNew( ) will return true ( if we assume that session management isn�t possible as both cookies are disabled && URL encoding is also not done ). So, with this assumption 1,2,3 are possible answers. Again, in light of our assumption, we select only 2 ( ruling out 1 & 3 in which the 2nd last outputs toggle between T and F.This contrasts our assumption.Since no session management is possible, the two methods will return false always which is shown in 2nd option only)

So, we are left with 2, 5 and 6. I guess, if the book says, that �2� is the answer, the circumstance should rather say �

�the servlet is called for 2nd time by the client and cookies as well as URL is not possible�

Hope this makes sense.
Thanks.

i am expecting
replies
and analysis on what i said !!!

yes, I agree with the conclusion you have drawn.

stmt1: session.isNew():
stmt2: request.isRequestedSessionIdFromURL()
stmt 3: request.isRequestedSessionIdFromCookie());

I analysed it under 2 cases:
Case 1. Cookies enabled:
In this case, if the servlet is invoked 1st time, stmt1 gives True, stmt2 & stmt 3 gives False. Now if the same servlet is invoked again, stmt1 gives False, stmt2 gives False & stmt3 gives True.

Case 2. Cookies disabled & URL rewriting is used:
In this case, if the servlet is invoked 1st time, stmt1 gives True, stmt2 & stmt 3 gives False. Now if the same servlet is invoked again, stmt1 gives False, stmt2 gives True & stmt3 gives False.

T,F,F this means this is a new request i.e not associated with any session( no session management). Now if there is no session management then every request will be treated as a new one so, I think, there is no point saying- "called for the second time"...

Please correct me if I am wrong.

Thanks and regards,
Saurabh