Originally posted by Dilip Mallik:
In servlet we have the option of keeping a request in the same session
or not If we don't write HttpSession session = req.getSession(); that means
we want from this point the request to be out of the session we are using.
This isn't exactly right.
Once you call getSession, the session object the first time the session is created. The session won't be discontinued if a subsequent request fails to call getSession. If getSession is never called, the container won't instanciate the session object.
In other words, there is no way to 'discontinue' using a session.
The closest thing you could do is call HttpSession.invalidate() which will end that session, causing a new one to be created if, in a subsequent request, getSession is called again.
Now, my question is:-
As, the session object is by default available in every jsp,I was thinking
if we need to invalidate session explicitly or write session="false" in page directive if we don't want subsequent requests to be considered under a single session .
JSPs are compiled into servlet code by your container when they're first hit. By default, the generated code contains a call to getSession unless
you add the session="false" directive to your JSP.
Adding session="false" to another JSP will not invalidate your session.
It will (just like with a servlet that never calls getSession) simply keep that JSP from causing the container to create a session.
If you want to invalidate a session, you would call session.invalidate().
Another question is in jsp we don't need to write HttpSession session = req.getSession();Any response generated by a jsp will pass the cookie hence the session id to client by default as session object is by default available.
Correct.
As mentioned earlier, the generated servlet code will, by default, contain a call to getSession in order to supply the JSP with implicit 'session' variable. That is, unless you add the session="false" directive.
Two things you might want to check out.
1.) The specs for both Servlets and JSP.
There are links to both in my signature.
2.) Your JSP's generated servlet code.
Depending on your container, you might need to alter the configuration in order to keep this around.
You don't with the
Tomcat application server.
The generated servlet code will be under the tomcat/work/org/apache/jsp directory.
Try creating a small JSP, hitting it, and then viewing the generated servlet code. Then add the session="false" directive, hit it again, and compare the new servlet code to the old.