Win a copy of Kotlin in Action this week in the Kotlin forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Force HttpSession to use URL Rewriting  RSS feed

 
ah bo
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all you JSP guru:
I am currently working on a JSP project that requires session tracking. I know how to use the session tracking API with the HttpSession object, but I have a quick question. As far as I know, the HttpSession object will only use URL rewriting to do session tracking if cookie is disabled on the client browser. The encodeURL method does nothing basically unless cookie is disabled. Is there a way to force the HttpSession object to ALWAYS use URL rewriting (i.e. always append the session ID to the URL when I have the encodeURL in place) regardless of cookie support? I have searched for an answer for a long time but not being able to find a way to do it. Is it possible at all?
 
William Brogden
Author and all-around good cowpoke
Rancher
Posts: 13078
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The HttpSession object does not actively do anything, it is simply storage. It is the HttpServletRequest that provides the capability of finding a session due to a URLEncoded id.
It is HttpServletResponse that has the encodeUrl method.
It is up to you, the programmer, to encode URLs written by your servlet or JSP.
Bill
------------------
author of:
 
ah bo
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for your reply, but I don't think you have answered my question. I mean, I don't remember all the gory details about session tracking, so forgive me when I said it was the HttpSession object. In fact, I already have the session management working for my project, but I was just wondering if there is any way to force the sesion to always use the URL rewriting method (by using encodeURL) to store the session ID regardless of whether cookie has been disabled.
 
Gerry Giese
Ranch Hand
Posts: 247
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm curious about this as well. The intranet environment I work in the admins are particularly concerned about security, and they recommend (and sometimes enforce) cookies being turned off on desktop machines. Maybe there's a webapp setting? Or a server setting?
If we're stuck with code, I suppose we could either extend URL so that it's toString() call does an rewrite, or just use a servlet filter on the back-end to detect and rewrite all URLs (sounds CPU heavy to me). Or maybe there is a HTTP header to use?
I need to research this more.. I'm not familiar enough with J2EE to know the answers yet. Like Ah, I appreciate any help!
 
ah bo
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I hear you. My boss has his thing against cookie, that's why he wants us to only use URL rewriting to do session tracking. It sounds like we could just not use the Java session tracking API altogether and code something on our own to do session tracking on the webserver. Does anyone has an easy solution to this if that is the case? A simple algorithm that does session tracking. Thank you very much.
 
Mike Curwen
Ranch Hand
Posts: 3695
IntelliJ IDE Java Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have never personally tried this, so no guarantees...

BUT...

If you use Tomcat 4.0.x (and perhaps 3.2.x, but I can't check right now), in server.xml, find the context element for the particular web application you are talking about. If you've been using Tomcat's built-in 'thanks very much' behaviour of loading anything under the webapps directory automatically, you'll have to add one here, because you want to use a non-default value.

anyways.. there is an an attribute in the context element called 'cookie'. Set it to false, and the context should *always* use URL rewriting. ie: It will force request.encodeURL to encode the URL with the jsessionid string.

Let us know how it works.
 
ah bo
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for your reply. Although we do not use Tomcat at work, I would certainly try to find out if there is an equivalent setting in what we use (JServ) first thing tomorrow. I will let you all know after I tried it. Thank you very much.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!