I'm trying to find a way to get the same session id that is used to track HTTP session with the same user (but they could be using different web browser such as MSIE, Mozilla Firefox). Currently I am using cookies to track these session id, but MSIE and Fireofx doesn't share cookie, so I ended up getting different session id. I wanted the session id to be created based on the clien't ip address. My questions are: - How Jetty servlet container generate session id? - Is there a way to configure the servlet container to generate session id based on IP address of the client? - In the servlet 2.3 spec, it mentioned that beside Cookies and URL Rewriting as a session tracking mechanism, SSL sessions "allow multiple requests from a client to be unambiguously identified as being part of a session. A servlet container can easily use this data to define a session". Does any body know how this work (in particular with Jetty servlet container).
I wanted the session id to be created based on the clien't ip address.
That's not the way it works because it is flawed. Imagine you were working in a company with 500 employees - you all sit behind the company router and from the 'internet' all have the same external IP address. A session is a way to uniquely identify one client.
The SSL session id is not really suitable for web session tracking as SSL is a large overhead on the server. For that reason developers normally make use of SSL only on particular pages - your SSL session id would not always be available.
Your requirement is quite strange, perhaps you can explain why you need it so alternative approaches can be suggested.
posted 12 years ago
My application seemed to be getting session id whether they are using MSIE or Mozilla Firefox or Opera, when I deploy it in Tomcat. However, when I deploy this in Jetty, I seemed to be getting different session id for MSIE and Mozilla Firefox.
My application bind alot of data to a http session , so I do want to get the same session id back.
You may want to sit down with the Servlet spec and read the sections that describe an HTTP Session (link in my signature).
A session would never be shared amoung multiple browsers on a machine (There are ways to open multiple MSIE instances all sharing the same session cookie but that's another issue). As Darren mentioned, binding an httpSession to the user's IP would be a recipie for disaster.
And the session ID generation is independent from the browser in use (though it is possible that some web containers may use the browser type as part of the string they return). If Jetty returns the same session ID for different browser(instance)s that are all open it is seriously flawed, they should be globally unique in the web container (though they could in theory be reused after being closed or timed out).
posted 12 years ago
I know that the session id is generated by the servlet container, and it also manages this as well. I have went through Servlet spec (serveral times), and know the 3 ways to maintain sessions (URL rewriting, cookied, SSL session).
My question is why the behaviour is so different between servlet container? It doesn't make sense when MSIE, Firefox, Opera have same session id (in Tomcat servlet container). He do use SSL (HTTS) communication between client-server.