Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

HttpSession

 
Bob Moranski
Ranch Hand
Posts: 177
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi, I am confused with the HttpSession object. It is sent from the client through HttpServletRequest. But how does the servlet identify a HttpSession object to track the user session? In other words, how does servlet know that the HttpSession object is from a particular client in order to do the tracking?
Thanks!
 
nutan prakash
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
The Server (Servlet), with every HTTPSession, places a cookie on the client. The Client returns this cookie which is identified by the servlet... thus retrieving the HTTP Session object. This special cookie's value is set by the Servlet automatically whenever a HTTP Session is made, and this value is UNIQUE.
AM I RIGHT - ANYONE?
regards...
nutan
 
Kevin Mukhar
Ranch Hand
Posts: 83
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by nutan prakash:
Hi,
The Server (Servlet), with every HTTPSession, places a cookie on the client. The Client returns this cookie which is identified by the servlet... thus retrieving the HTTP Session object. This special cookie's value is set by the Servlet automatically whenever a HTTP Session is made, and this value is UNIQUE.
AM I RIGHT - ANYONE?
regards...
nutan

Close, but not right. The servlet does not send the cookie. The servlet CONTAINER sets the session id and sends the cookie. The cookie contains the session id. When the client makes another connection, it returns the cookie, the servlet container extracts the session id and uses that to retrieve the correct session when the servlet calls getSession(boolean).
 
Peter den Haan
author
Ranch Hand
Posts: 3252
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Kevin Mukhar:
Close, but not right. The servlet does not send the cookie. The servlet CONTAINER sets the session id and sends the cookie. The cookie contains the session id.

If the client has cookies disabled (or does not support them), this scheme falls apart. But your servlet container may support URL rewriting to include the session ID as part of the URL. This works with any browser.
However, URL rewriting also takes some effort on your part because it only works if you call HttpServletResponse.encodeURL(String) faithfully for every URL you write out.
- peter
 
Diskmuncher
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Peter den Haan:
If the client has cookies disabled (or does not support them), this scheme falls apart. But your servlet container may support URL rewriting to include the session ID as part of the URL. This works with any browser.
However, URL rewriting also takes some effort on your part because it only works if you call HttpServletResponse.encodeURL(String) faithfully for every URL you write out.
- peter


Minor nit...in addition to the servlet container, the web server may also support URL rewriting. The Apache webserver is still faster (and theoretically safer) at serving static content than the Jakarta Tomcat webserver/container, so I compiled mod_rewrite into Apache to allow the session ID to be "tracked" across dynamic and static pages.
 
Frank Carver
Sheriff
Posts: 6920
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
"Diskmuncher",
The Java Ranch has thousands of visitors every week, many with surprisingly similar names. To avoid confusion we have a naming convention, described at http://www.javaranch.com/name.jsp . We require names to have at least two words, separated by a space, and strongly recommend that you use your full real name. Please choose a new name which meets the requirements.
Thanks.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic