• Post Reply Bookmark Topic Watch Topic
  • New Topic

Are sesions automatically created?

 
Jessid Leon Velez Gutierrez
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello friends. I dont know if this is the correct forum to ask about. Any way... this is my question:

I am trying to learn how sessions are handled and I find that there are at least 2 ways to do it: With cookies and url rewriting. I am working with tomcat and i can see that inmediately i get to the web app home page (for example index.jsp) a cookie with a jsessionid name is created... Is this the normal behavior? I do not want that to happen, because I dont want the user to be in a session just for the fact of opening the login page...

here are the files I am using:

web.wml
======




Login.jsp: a session is started inmedately i get here.
==================================



VerificadorLogin.java (Only the doPost method)
===============================


Thanks a lot!
 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The default is for JSP pages to create a session. To prevent that, add <%@ page session="false" %> in your JSPs.
 
Stefan Evans
Bartender
Posts: 1822
10
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, a session is created automatically for you, unless you specify otherwise using <%@ page session="false" %>
Most times that is done with a browser session cookie. If security settings prevent that (they need to be pretty strict settings to do so) then url rewriting is the standard supported alternative.

The session is just a place where you can store attributes you want to keep across multiple requests.
Having a session doesn't mean you can access the whole application without logging in. That depends on your implementation.

The most common approach is to set a user attribute in the session when the user has logged in successfully.
You then do a check on every request (with a filter) which checks to see if the user attribute is in session.
If it is there, then continue. If not, then forward to the login page.

Some more suggestions:
Instead of doing a sendRedirect, consider doing a requestDispatcher.forward from a servlet to render the correct response.

Also be aware of the response.encodeRedirectURL you should use for encoding redirect URLs as opposed to regular ones you want to render on the page for users to click.
 
Jessid Leon Velez Gutierrez
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ulf Dittmer wrote:The default is for JSP pages to create a session. To prevent that, add <%@ page session="false" %> in your JSPs.


Thanks a lot!!
 
Jessid Leon Velez Gutierrez
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Stefan Evans wrote:Yes, a session is created automatically for you, unless you specify otherwise using <%@ page session="false" %>
Most times that is done with a browser session cookie. If security settings prevent that (they need to be pretty strict settings to do so) then url rewriting is the standard supported alternative.

The session is just a place where you can store attributes you want to keep across multiple requests.
Having a session doesn't mean you can access the whole application without logging in. That depends on your implementation.

The most common approach is to set a user attribute in the session when the user has logged in successfully.
You then do a check on every request (with a filter) which checks to see if the user attribute is in session.
If it is there, then continue. If not, then forward to the login page.

Some more suggestions:
Instead of doing a sendRedirect, consider doing a requestDispatcher.forward from a servlet to render the correct response.

Also be aware of the response.encodeRedirectURL you should use for encoding redirect URLs as opposed to regular ones you want to render on the page for users to click.


Thanks a lot!
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!