Win a copy of Practical SVG this week in the HTML/CSS/JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

What's the best practice approach for implementing persistent sessions in Tomcat?

 
Alex Ryan
Greenhorn
Posts: 14
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Does anybody here have a Tomcat based web app that they are offering persistent sessions for?
What I mean by "persistent session" is that user is given the option to stay logged in until they choose to be logged out.

I believe the traditional means of doing this is to use cookies.
The way that I've implemented this is to funnel all requests through a ServletFilter.
The filter just checks to make sure that the user's HttpSession is still active by looking to see if the userID is still in there.
If it is, it just passes the request through the chain.
If it is not, it reads the cookie from the HttpRequest, does a quick database lookup to find out who the user is, and stuffs the userID back into the HttpSession, before passing the request on down the chain.
That way the servlet down the line who receives the request will know who the request is coming from.
Sounds logical right?

This seemed to work well for me until recently when I started using AJAX.
I'm not sure why, but I've encountered a situation where the servlet that receives the request after the filter has done its thing is not able to read the userId from the session.
It's getting a null.
This is very strange.

From the server logs it appears that the filter is doing its job correctly.
It is looking up the userId and writing it to the session.
But for some reason when the servlet reads it a few milliseconds later, it is reading "null".

Perhaps it is reading from the session before the filter has finished writing to it?
I don't know how to explain this behavior.

Has anyone else encountered this?
I thought me design was okay, but now I'm thinking that maybe I'm doing something incorrect.
I'm curious to know if anyone here has a different approach for implementing persistent sessions that is more reliable which they would like to share.


From the filter ...

System.out.println(">Success: user found 4 vSessionId=" + vSessionId);
System.out.println(">Success: user.getEmail() = " + user.getEmail());
HttpSessionManager.setUserName(request2, user.getEmail());
HttpSessionManager.setUserId(request2, user.getId());

From the servlet ...

String requestorId = HttpSessionManager.getUserId(request);
String requestorName = HttpSessionManager.getUserName(request);
logger.debug("requestorId=|" + requestorId + "|");
logger.debug("requestorName=|" + requestorName + "|");

From the logs ...

1542 >Success: vSessionId=gpjer42edwcn
...
1544 >Success: user found 4 vSessionId=gpjer42edwcn
1545 >Success: user.getEmail() = alexander.j.ryan@gmail.com
...
1550 DEBUG: RequestQuoteAddServlet.java:68: requestorId=|null|
1551 DEBUG: RequestQuoteAddServlet.java:69: requestorName=|null|
 
Manish Singh
Ranch Hand
Posts: 160
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Your code snipped appear fine. But it may be possible that you have implemented something incorrectly uner the HttpSessionManager.

Steps to resolves:-
1) The best way to resolve this is to debug your web application in an IDE like eclipse.
or if you don't know how to debug the web application
2) Try accessing you required fields in the filter itself after call to filterchail.doFilter method. i.e. the response filter
 
Manish Singh
Ranch Hand
Posts: 160
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What I mean by "persistent session" is that user is given the option to stay logged in until they choose to be logged out.


There is a flaw in you design. Test it against

1) I opened Internet explorer.
2) I logged in to your web application.
3) I close the browser.

You have not yet stored any cokkie on my machine

4) I open the internet explorer again and navigate to you webapp.

will it automatically log me in ??
 
Alex Ryan
Greenhorn
Posts: 14
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Manish,
Indeed. When the you successfully authenticate the HttpResponse you receive will contain the VSESSIONID cookie which is a randomly generated string that I will associate with your account to identify you. Your browser will send this back to me with each subsequent HttpRequest so that I know that the request came from you.
 
Seetharaman Venkatasamy
Ranch Hand
Posts: 5575
Eclipse IDE Java Windows XP
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Alex Ryan wrote:
When the you successfully authenticate the HttpResponse you receive will contain the VSESSIONID cookie which is a randomly generated string that I will associate with your account to identify you.

VSESSIONID or JSESSIONID ? it depends on server what you are using .
 
Manish Singh
Ranch Hand
Posts: 160
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
@ Alex Ryan

No it wont log you in. The Jsessionid is lost when the user closes his browser.

And when he come again to your application new session will be created.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!