User sessions and cookies. How does an application server do it?

A

Andrea Desole

A usual way to check if the browser supports cookies is to set a cookie
(using either JavaScript or server side Java code), and then to check
that a cookie is set. However, an application server is supposed to do
the same check, since it has to decide if the session id has to be
stored in a cookie or as a request parameter in the url.
Since the application server doesn't add any JavaScript to the page, the
only way would be to set a cookie when the first page is loaded,
redirect to a second page, and check on the second page that the cookie
is there. That looks unlikely.
I would be curious to know how an application server solves this
problem. I found nothing in the W3C specs that gives me a hint.
Anyone has an idea?
 
W

Wendy S

Andrea Desole said:
I would be curious to know how an application server solves this problem.
I found nothing in the W3C specs that gives me a hint.
Anyone has an idea?
Click to expand...

You'll probably have more luck in the Servlet specification or in the source
code for Tomcat.

What seems to happen is that the server sets a cookie on the first page, and
rewrites all the URLs on that page with ;jsessionid appended. On the next
request, it checks for the cookie, but if it's not there, the server can
still get the session ID from the end of the URL. If the cookie was
present, it stops rewriting the URLs, if not, it continues doing so.

Just my guess based on observation, it works so I haven't delved into
exactly HOW it works.
 
A

Andrea Desole

You'll probably have more luck in the Servlet specification or in the source
code for Tomcat.
Click to expand...

yes, I thought about looking at the code
What seems to happen is that the server sets a cookie on the first page, and
rewrites all the URLs on that page with ;jsessionid appended. On the next
request, it checks for the cookie, but if it's not there, the server can
still get the session ID from the end of the URL. If the cookie was
present, it stops rewriting the URLs, if not, it continues doing so.
Click to expand...

mmm, that means that you always have the session id in the second url,
which indeed seems to be the case. I'll look at it.
Just my guess based on observation, it works so I haven't delved into
exactly HOW it works.
Click to expand...

:) I understand. It's just that I looked at how to check if cookies are
enabled, and I thought that probably a server use an easier solution,
which I don't know. We also had a strange issue here (session cookie was
set on mozilla but not on IE, and a new session was created each time),
that really made me wonder how the thing works.
I'm now simply using isRequestedSessionIdFromCookie() to check that
cookies are supported, and it works, but I'm still curious.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Problem with a login script, SESSION user rights and put this together so it works with the other pages and MySQL. Code examples. 2
The distinction between a java applet and an application 1
How do I push into an array using an event listener? 5
How to effectively develop a web application from scratch? 0
How Do I Set text on an Image and use the image as a border? 7
Problem with Sessions / Cookies 8
How to make an input box enable for only past dates and for the startdate if it falls in the current month? 5
Is it possible an iframe can overlapp another? 3

Members online

Total: 36 (members: 3, guests: 33)
Robots: 448

Forum statistics

Threads
473,769
Messages
2,569,580
Members
45,054
Latest member
TrimKetoBoost

Latest Threads

Top