tags:

views:

702

answers:

3
+1  Q: 

Session Management in Tomcat

Hi,

I have developed a simple web-app with 2 servlets A and B.

I have a few doubts related to session management for the web-app by Tomcat.

NOTE - I have disabled cookies in my web-browser (Chrome) while accessing the web-app.

1.) When the web-app is first hit, Servlet A gets invoked. Servlet A accesses the session from the request and does a simple sysout of the session hashcode. It then does a sendRedirect to servlet B.

[According to my understanding, since this is the first request, Tomcat will send a cookie containing the new session ID back to the browser. However, since we have not "encoded" the redirect URL using HttpResponse.encodeRedirectURL(), the redirect URL will not contain the session ID appended to it. Please correct me if I am wrong here.]

2.) Since cookies are disabled in my browser, it'll ignore the session ID sent back in the cookie and issue a new request to the redirect URL (which also does not have the session ID appended to it).

3.) The new request causes servlet B to be invoked, whoch also accesses the request session and does a sysout of the session hashcode.

What perplexes me is that both Servlets A and B output the same session hashcode, which means that they get the same session from both requests.

How does the second request from the browser map to the same session as before, even though no session ID has been sent ?

Thanks !

+1  A: 

There are only 2 ways to pass sessions between requests: Cookie and URL rewrite. If you don't see the session ID in the URL, it must be cookies.

Are you sure the cookie is disabled? It should be easy to see from a HTTP header trace.

ZZ Coder  2009-12-15 05:17:41
+1  A: 

Are you certain you've disabled "in memory" cookies? Often browsers will let you disable persistent cookies which are saved to disk, but they'll still allow the transient in memory cookies which only stay resident during a browser session.

I recommend Wireshark for analyzing the HTTP stream. That way you can see the cookies that are sent and received by your browser.

karoberts  2009-12-15 05:18:03
A: 

This is strange.

When I tested the application yesterday, it was exhibiting a behaviour similar to what I have described. However, as I test the application now, it behaves perfectly, as I expect it to.

The cause could probably be that I did not restart my browser session after disabling cookies.

Will let you guys know if I experience the same behaviour again.

Thanks for your time guys !

divesh premdeep  2009-12-15 05:38:53

related questions

What is typically the length of your optimal coding session?
What's the most current, good practice, and easiest way to use sessions in PHP?
What can cause an ASP.NET worker process to be recycled?
How do I explicitly set asp.net sessions to ONLY expire on closing the browser or explicit logou?
session variable mixup in ASP.NET?
In Classic asp, can I store a database connection in the Session object?
What are the advantages and disadvantages of the Session Façade Core J2EE Pattern?
Different values of GetHashCode for inproc and stateserver session variables
Best way for allowing subdomain session cookies using Tomcat
Is there a way to specify a different session store with Tomcat?
PHP: $_SESSION - What are the pros and cons of storing temporarily used data in the $_SESSION variable
What is the best way to handle sessions for a PHP site on multiple hosts?
How much data can/should you store in a users session object?
ASP.Net Session_Start event not firing
Logging image downloads
ASP.Net: If I have the Session ID, Can I get the Session object?
Secure session cookies in ASP.NET over HTTPS
Django Sessions
Can I put an ASP.Net session ID in a hidden form field?
Always including the user in the django template context
Rails - recovering database from Production.log
Most efficient way to get data from the database to session
What is the best way to prevent session hijacking?
FOSS ASP.Net Session Replication Solution?
How do I best detect an ASP.NET expired session?