Win a copy of Java Concurrency Live Lessons this week in the Threads forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Keeping track of session id  RSS feed

 
Yvonne Borov
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,

I'm trying to find a way to get the same session id that is used to
track HTTP session with the same user (but they could be using different web browser such as MSIE, Mozilla Firefox). Currently I am using cookies
to track these session id, but MSIE and Fireofx doesn't share cookie, so I ended up getting different session id. I wanted the session id to be created
based on the clien't ip address.
My questions are:
- How Jetty servlet container generate session id?
- Is there a way to configure the servlet container to generate
session id based on IP address of the client?
- In the servlet 2.3 spec, it mentioned that beside Cookies and URL
Rewriting as a session tracking mechanism, SSL sessions "allow multiple
requests from a client to be unambiguously identified as being part of
a session. A servlet container can easily
use this data to define a session". Does any body know how this work
(in particular with Jetty servlet container).

Any help is very much appreciated.

y
 
Darren Edwards
Ranch Hand
Posts: 69
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I wanted the session id to be created based on the clien't ip address.

That's not the way it works because it is flawed. Imagine you were working in a company with 500 employees - you all sit behind the company router and from the 'internet' all have the same external IP address. A session is a way to uniquely identify one client.

The SSL session id is not really suitable for web session tracking as SSL is a large overhead on the server. For that reason developers normally make use of SSL only on particular pages - your SSL session id would not always be available.

Your requirement is quite strange, perhaps you can explain why you need it so alternative approaches can be suggested.
 
Yvonne Borov
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
My application seemed to be getting session id whether they are using MSIE or Mozilla Firefox or Opera, when I deploy it in Tomcat.
However, when I deploy this in Jetty, I seemed to be getting different session id for MSIE and Mozilla Firefox.

My application bind alot of data to a http session , so I do want to get the same session id back.
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You may want to sit down with the Servlet spec and read the sections that describe an HTTP Session (link in my signature).

A session would never be shared amoung multiple browsers on a machine (There are ways to open multiple MSIE instances all sharing the same session cookie but that's another issue). As Darren mentioned, binding an httpSession to the user's IP would be a recipie for disaster.
 
Jeroen T Wenting
Ranch Hand
Posts: 1847
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
And the session ID generation is independent from the browser in use (though it is possible that some web containers may use the browser type as part of the string they return).
If Jetty returns the same session ID for different browser(instance)s that are all open it is seriously flawed, they should be globally unique in the web container (though they could in theory be reused after being closed or timed out).
 
Yvonne Borov
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I know that the session id is generated by the servlet container, and it also manages this as well. I have went through Servlet spec (serveral times), and know the 3 ways to maintain sessions (URL rewriting, cookied, SSL session).

My question is why the behaviour is so different between servlet container? It doesn't make sense when MSIE, Firefox, Opera have same session id (in Tomcat servlet container). He do use SSL (HTTS) communication between client-server.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!