• Post Reply Bookmark Topic Watch Topic
  • New Topic

Deleting session cookie in IE 8 and JSF Session doesn't destroy session.

 
Aakash Saxena
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Hi All

I am using working on a single page application whose managed bean has a session scope.

Hitting the page creates a session Id.

Functionality is such that if I take action on the combo box on the page and if my operation is successful an icon appears on page to signigy success of action.

After I have taken successful action on my page, if I open the same url in a new tab I see my previous sent action on it instead of a fresh page because managed bean has session scope. This is exactly what i expected it to be.

The problem is :

1) In FIREFOX 19.0 , after taking the successful action if I delete the session cookie and refresh the page, previous state is lost and a fresh page appears.

2) But in Internet Explorer 8.0 , after taking the successful action if I delete the session cookie and refresh the page, previous state is still there while I expected a fresh page this time.

Can some one help me understand why is it happening ?

 
Tim Holloway
Bartender
Posts: 18412
58
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Deleting cookies is a bad way of controlling sessions. If you really want to destroy a session, use the session.invalidate() method.

Actual session data does not travel to and from client and server because A) it wouldn't be secure and B) it would require more network resources. Therefore, what actually gets transmitted is a hash value (session ID) that is used so that the server knows which client a request is being processed for.

This session ID is continually passed back and forth between client and server. Futhermore, it may not always be the same ID. For example, if you switch to SSL, a new ID is created and the old ID is destroyed, but the same session is still there.

There are 2 ways to transmit a session ID. The cleaner way is to do it in a cookie, but that only works if the client has cookies enabled. The alternative is URL rewriting, where a special appendage ("jsessionid=")is attached to URLs so that when the user clicks on links, the session ID gets transmitted as part of the URL itself.

Most likely for some reason IE is getting jsessionids attached to URLs and Firefox isn't. Why that should be I can't say, although until the the server knows whether cookies are available, it may send back session IDs in both cookies and rewritten URLs.

Under no circumstances should you attempt to mess with jsessionids on either client or server side. You don't know what might happen.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!