views:

2661

answers:

4

I am currently running an application with the following properties:

  • Java-based with Spring and Acegi
  • Running on Tomcat 5

I need the ability to support user sessions without cookies. Could someone please point me in the right direction.

Thank you.

+1  A: 

You could track by IP address, but proxy servers (and NAT?) could mess you up.

You could force all URLs to have the session as a parameter, and all forms as a hidden field. Maybe a custom tag for generating URLs could help here, but I've not done much work with taglibs.

You will need to consider security - people might email links to someone else with the session id in it, so you will want to have an IP address check for each access to check that the address matches the session.

JeeBee
+2  A: 

See http://tomcat.apache.org/tomcat-5.5-doc/config/context.html.

In a file META-INF/context.xml,

<?xml version='1.0' encoding='UTF-8'?>
<Context path='/myApplicationContext' cookies='false'>
  <!-- other settings -->
</Context>
Loki
This seems to append JSESSIONID to the url on the first request to the application. But, how do I ensure that it gets appended to subsequent requests?
Zakir Hemraj
A: 

As matt b commented this should work out of the box (tomcat will try cookies, and if that fails fall back on encoding the session in the url). However, this will not work if you create a 'plain' link yourself - always use a method like JSTL's so tomcat can add the tracking parameter to all urls.

Simon Groenewolt
+2  A: 

The complete answer to this question is a combination of all your responses, so I'm going to summarize:

  1. There is no need to set cookies="false" in the context.xml file. The ideal functionality is for tomcat to use it's url-based session identification, which will be used by default if cookies are not supported by the user.

  2. When a user doesn't have cookies enabled, tomcat will identify the session by the "JSESSIONID" parameter from the url of the request. A couple sample urls are as follows http://www.myurl.com;jsessionid=123456AFGT3 http://www.myurl.com;jsessionid=123456AFGT3?param1=value&amp;param2=value2 Notice how the session id is not part of the url query string (this is a j2ee standard)

  3. In order to ensure the jsessionid parameter gets appended to all your request URLs, you can't have plain url references. For example, in JSTL, you have to use < c:url>. The servlet engine will then automatically append the jsessionid to the url if it is necessary. Here's an example:

    <%--this is bad:--%> < a href="page.html">link< / a>

    <%--this is good:--%> < a href="< c:url value='page.html'/>">link< / a>

Zakir Hemraj