Session Behaviour

I am a bit confused with session behavior in servlets.

Whenever i submit my first request by clicking submit button( say click on website:javaranch.com url on address bar in IE)is a session is created?

A server responds with response and the sessionid (opens javaranch.com).
Is a session maintained at this point?When it get destroyed?I dont need any session here.I need session only when user logins into his account

What happens when he enters username and password i.e.does a new session gets created?Is this session different from session when he clicked website page.

Also we set session timeout value.A normal login says 'Session Expired' once maxInactiveInterval has elapsed but what about session created when he clicked on website page?When it get destroyed?

Please clear this confusion of when a session get created and how it getting invalidated though i haven't mentioned session.invalidate() anywhere?

Making a request to a servlet won't necessarily create a session.
The session will be created for you when you call getSession() or getSession(true) (I never bother with the second version).

JSPs, however will, by default, cause a session to be generated when hit.
There is a directive to tell the server not to generate the session but, again, by default, JSPs create sessions.

An HTTP session is not the same as login, unless you write your own security.
For many of us, the declarative security offered by the spec is useful only for small simple apps. So, invaliding a session, doesn't necessarily log a person out when using declarative security.


The servlet spec does a good job of describing how session work.
There is a link to it in my signature.
[ March 28, 2008: Message edited by: Ben Souther ]