jQuery in Action, 3rd edition
The moose likes JSP and the fly likes Session ID Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSP
Bookmark "Session ID" Watch "Session ID" New topic

Session ID

verduka fox
Ranch Hand

Joined: Jan 18, 2001
Posts: 178
I have a web-based intranet application that uses JSP's and Java Beans (no EJBs). We are in the process of implementing extensive auditing to track user activity. I am using request.getRemoteAddr() to get the IP of the machine from which the user is accessing the application. I am now interested in also getting the session ID, as the user could have multiple instances of the application open on the same pc by using multiple browsers. I believe that I should be able to use session.getID() to get this value. However, I have a few questions. How is the session ID generated? Are they always unique? If not, what pattern is used to repeat the IDs? I have been printing them out, and the ones I have seen so far are 23 characters. Are they always this length?
Basically, I'm looking for a little more information to know if it is worthwhile for us to track the session id in our auditing. It needs to be unique so that it can identify different sessions. Please comment.
Thank you for your help.
Asher Tarnopolski
Ranch Hand

Joined: Jul 28, 2001
Posts: 260
i can't tell you exactly about the way the sessions get their id. i think there is a big chance it's a vendor specific feature of different servers.
when you open a number of browser windows, all of them relay to the same session on server. the session's attributes are not thread safe.
but! when you open a new browser window you still send a new request to the server which can be helpful for you together with session id.
i didn't understand what exactly do you wanna do in your application, so you have to think about it by yourself
yeh, you should also pay attention to the fact that request.getRemoteAddr() can return the ip of user's proxy server. for number of users using the same proxy the result will be the same..

Asher Tarnopolski
Jeff Grant
Ranch Hand

Joined: Dec 19, 2001
Posts: 169
Originally posted by Asher Tarnopolski:

I searched java.sun.com for that and couldn't find it. Also tried it in a JSP page but could got an error saying that the getRemoteAddr was not found.
Just in case you abreviated, I tried getRemoteAddress() with no luck as well.
What class is that under which I need to import?
Ivan Matmati
Ranch Hand

Joined: Feb 26, 2003
Posts: 41
From the javadoc:
Interface ServletRequest
All Known Subinterfaces:
public java.lang.String getRemoteAddr()
Returns the Internet Protocol (IP) address of the client that sent the request. For HTTP servlets, same as the value of the CGI variable REMOTE_ADDR.
a String containing the IP address of the client that sent the request

No Gates!<p>SCPJ 1.4<br />SCWCD 1.4
verduka fox
Ranch Hand

Joined: Jan 18, 2001
Posts: 178
I'm looking for more information on session.getID(). I feel that request.getRemoteAddr() is giving me the IP and that is what I needed. Now I'm trying to determine how the session IDs are assigned. Are they reused? I want to determine if the user has more than one browser open to my web app. I need to know if these two browsers will have different session IDs. I am not trying to perform actions across these browsers. I just want to know if they have separate identities in terms of session IDs.
I also need to know how long the IDs can be. Upon initial testing, it looks like mine are 23 characters. Are there "rules" regarding the length of the session ID?
Andy Bowes
Ranch Hand

Joined: Jan 14, 2003
Posts: 171
Hi Verduka
As Asher pointed out the generation of Session Id is vendor specific. I suspect that most vendors use a form of GUID generation that includes parts that are formed from the IP address of the server and the datetime that the session was created.
I am not convinced that you will be able to identify exactly which browser window performed the operation as it is possible that the same session id will be used by multiple browser windows on the client's PC.
I am also not convinced that the Remote Address will provide the level of auditing and user indentication that you think either since if multiple users access your application via the same proxy server it is the IP address of the proxy server not the individaul client PC that will be picked up by you web-server.
A better method of auditing would be to use some form of user id that is held on the session when the user first logs into your application.

Andy Bowes<br />SCJP, SCWCD<br />I like deadlines, I love the whoosing noise they make as they go flying past - Douglas Adams
Asher Tarnopolski
Ranch Hand

Joined: Jul 28, 2001
Posts: 260
try to run this code:

run it once and when you'll get a response in the browser window just try to open some new browser windows (if u use ie - just press
ctrl+n couple of times...) you will see that the session id won't change, but number of "REQUEST"s
will show you that you can check if the same client opens more than one window. now think how to implement the check you need (you might think about checking session attribute or you can play
with HttpSessionAttributeListener, or whatever...)
I agree. Here's the link: http://aspose.com/file-tools
subject: Session ID
It's not a secret anymore!