This week's book giveaway is in the Performance forum.
We're giving away four copies of The Java Performance Companion and have Charlie Hunt, Monica Beckwith, Poonam Parhar, & Bengt Rutisson on-line!
See this thread for details.
Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Who all can access HttpSession and/or its attributes ?

 
Chanakya Gupta
Ranch Hand
Posts: 37
Fedora Netbeans IDE Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The ServletContext(with attributes) - everyone in the application has access.
The HttpSession(with attributes) - who has access ? Can someone clear my doubt ?
Thankyou very much in advance.
 
Dieter Quickfend
Bartender
Posts: 543
4
Java Netbeans IDE Redhat
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The user whose jsessionid corresponds to the HttpSession object.
 
Chanakya Gupta
Ranch Hand
Posts: 37
Fedora Netbeans IDE Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thankyou Dieter !
Upon trying an example, I feel all those Servlets/JSPs have access to 'a session'
who have access to the same request. Because, it is request.getSession();

But, there is a HttpSessionEvent.getSession() also. So those Servlets/JSPs/classes
implementing HttpSessionListener also have access to the same session.

To sum up, all those Servlets/JSPs/classes having same
1. HttpServletRequest
2. HttpSessionListener

Am I right ?
 
Jubayar hosan
Greenhorn
Posts: 3
Android Java Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
nice
 
Dieter Quickfend
Bartender
Posts: 543
4
Java Netbeans IDE Redhat
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Chanakya:


No, it's like this:

A request doesn't get you a session. The moment you need to put something in a session, and call the getSession() method on the request object, the container will create a session object for you. This object exists on the server. The container will also send a jsessionid in the response, which is stored in a cookie on the client (if you've got cookies enabled). Then, you will automatically send that jsessionid in the header with every request to the server, so that the container recognizes that you're the user that can speak to that particular session object. This is the container's way of maintaining state.

an HttpSessionListener just listens for certain lifecycle events in any session object, and performs a corresponding action. It has nothing to do with who has access to what.

An HttpSession object can span many requests, and many HttpSessionListeners can be registered for any and all HttpSessions.


Hope that clarifies it a little bit.
 
Chanakya Gupta
Ranch Hand
Posts: 37
Fedora Netbeans IDE Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thankyou Dieter !

So any Servlet/JSP/Class is free to have access
to the 'session' ! Got it, I suppose !
 
sourabh girdhar
Ranch Hand
Posts: 71
Java Spring Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes Chanakya,

Any Servlet/JSP can get access to session provided they have access to request object.

Just to clear -
A session can be associated with multiple requests from same client. So be clear about concurrency issues while putting objects in session.

Sourabh
 
Chanakya Gupta
Ranch Hand
Posts: 37
Fedora Netbeans IDE Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Summing up from Dieter and Sourabh,

- multiple requests --> same client --> same sessionid

- any part of the webapp can access this sessionid
(with access to request and event)

- and sessions are not thread-safe.

Thankyou sourabh. Its clearer
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Chanakya Gupta wrote:Summing up from Dieter and Sourabh,

- any part of the webapp can access this sessionid
(with access to request and event)



The part in the parenthesis is important here.
A ServletContextListener, for example, would not be able to access a session.
Likewise the init method in a servlet has no way to access any session information because servlets can be configured to be loaded when the container starts up, before any actual requests have been made.

 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic