• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Authentication in tomcat

 
Danny Rivet
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi

I understand that authentication requires session tracking in tomcat. I think it is to remember the page the user requested after logging in.

Will tomcat create a session upon authentication if a session does not exist?

Thank for any help
 
Stefan Evans
Bartender
Posts: 1807
10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Think about how a "session" is identified.
The webserver just gets an HTTP request.
How does it distinguish between requests from different users/sessions?

One implementation is to use the Session Cookie. That cookie is how it identifies the requests from you so that it can associate them with your session.
A session is created by default when you access a JSP page (unless you have explicitly disabled it)
Tomcat will create a session if none exists - i.e. if you don't send a session cookie with your request.

 
Danny Rivet
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank for your reply

Does that mean that if I don't use jsp pages and my servlet does not call request.getSession, tomcat will create a http session upon authentication, as it need a session to keep login state?
 
Stefan Evans
Bartender
Posts: 1807
10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tomcat will create a session. At what point it does that is largely irrelevant.
Most of the time you shouldn't even have to care.

Just remember that the "session" does not necessarily correspond to being logged in.

Easiest way to confirm the functionality would be to try it out :-)
You could use browser developer tools to monitor the HTTP conversation and determine when the JSESSIONID cookie gets set




 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic