Win a copy of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) this week in the OCAJP forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

use only encodeURL() even end-user supports cookies

 
Gangadhar Reddy
Greenhorn
Posts: 25
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Container sees that you called request.getSession()on the FIRST request and realizes that it needs to start a new session with this client, the container sends the response with both a "Set-Cookie" header for the session ID, and the session ID appended to the URLs (assuming you used response.encodeURL())

let us consider that this client accepts cookies.

Now my doubt is whether the SECOND request from this client contains cookies as part of its request or jsessionid will also be appended to the URL or both?

I have one more question with me?

Some banking websites such as www.icicibank.com, MUST encode URL, despite end-user accepts cookies or not. How one can encode URL even when end user supports cookies as container may not want to set cookies because of security constraints?
 
Bosun Bello
Ranch Hand
Posts: 1511
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes. If cookies are enabled, the second request will send the cookies, and the container will know to use cookies for session tracking instead of URL rewriting. Even so, URL rewritig can only be used if you pass all generated url through the encodeURL method.
 
Gangadhar Reddy
Greenhorn
Posts: 25
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bosun Bello,

So you mean to say that, for the second request to the server, session id will be appended to URL AND the session will be enclosed in cookies too. When the container receives this request, it will check whether the end user accepts cookies or not. But how could the container know that the end user is accepting cookies? Because when the container uses request.getSession() it's going to get session id either from URL or from inside cookie. There by it can not say where it is coming from?

My another question is...

Do we have separate pages/coding for same application which accepts cookies and which not accepts cookies?

If there is a requirment where one MUST has to overwrite URL even the end user accepts cookies, can we accomplish this? If so, could you please tell me?
 
A Bhattacharya
Ranch Hand
Posts: 125
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You appear confused when you say
>> Because when the container uses request.getSession() it's going to get session id either from URL or from inside cookie. <<
Container is the one implementing getSession. The web application residing in the container uses it.
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE Ubuntu VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Do we have separate pages/coding for same application which accepts cookies and which not accepts cookies?

No. Enabling/disabling cookies is something controlled by the browser, not by individual pages.

If there is a requirment where one MUST has to overwrite URL even the end user accepts cookies, can we accomplish this?

No, there's no requirement to do it. However, if you want to ensure that users who disabled cookies on their browser can use a session, you'd better use URL rewriting.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic