wood burning stoves 2.0*
The moose likes JSP and the fly likes use only encodeURL() even end-user supports cookies Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "use only encodeURL() even end-user supports cookies" Watch "use only encodeURL() even end-user supports cookies" New topic
Author

use only encodeURL() even end-user supports cookies

Gangadhar Reddy
Greenhorn

Joined: Aug 13, 2007
Posts: 25
Container sees that you called request.getSession()on the FIRST request and realizes that it needs to start a new session with this client, the container sends the response with both a "Set-Cookie" header for the session ID, and the session ID appended to the URLs (assuming you used response.encodeURL())

let us consider that this client accepts cookies.

Now my doubt is whether the SECOND request from this client contains cookies as part of its request or jsessionid will also be appended to the URL or both?

I have one more question with me?

Some banking websites such as www.icicibank.com, MUST encode URL, despite end-user accepts cookies or not. How one can encode URL even when end user supports cookies as container may not want to set cookies because of security constraints?
Bosun Bello
Ranch Hand

Joined: Nov 06, 2000
Posts: 1510
Yes. If cookies are enabled, the second request will send the cookies, and the container will know to use cookies for session tracking instead of URL rewriting. Even so, URL rewritig can only be used if you pass all generated url through the encodeURL method.


Bosun (SCJP, SCWCD)
So much trouble in the world -- Bob Marley
Gangadhar Reddy
Greenhorn

Joined: Aug 13, 2007
Posts: 25
Bosun Bello,

So you mean to say that, for the second request to the server, session id will be appended to URL AND the session will be enclosed in cookies too. When the container receives this request, it will check whether the end user accepts cookies or not. But how could the container know that the end user is accepting cookies? Because when the container uses request.getSession() it's going to get session id either from URL or from inside cookie. There by it can not say where it is coming from?

My another question is...

Do we have separate pages/coding for same application which accepts cookies and which not accepts cookies?

If there is a requirment where one MUST has to overwrite URL even the end user accepts cookies, can we accomplish this? If so, could you please tell me?
A Bhattacharya
Ranch Hand

Joined: Oct 22, 2007
Posts: 125
You appear confused when you say
>> Because when the container uses request.getSession() it's going to get session id either from URL or from inside cookie. <<
Container is the one implementing getSession. The web application residing in the container uses it.
Christophe Verré
Sheriff

Joined: Nov 24, 2005
Posts: 14687
    
  16

Do we have separate pages/coding for same application which accepts cookies and which not accepts cookies?

No. Enabling/disabling cookies is something controlled by the browser, not by individual pages.

If there is a requirment where one MUST has to overwrite URL even the end user accepts cookies, can we accomplish this?

No, there's no requirement to do it. However, if you want to ensure that users who disabled cookies on their browser can use a session, you'd better use URL rewriting.


[My Blog]
All roads lead to JavaRanch
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: use only encodeURL() even end-user supports cookies
 
Similar Threads
URL Rewrting
Session management with cookies disabled client.
Shopping carts and sessions and cookies, oh my!
HFSJ Final mock Q
Session Tracking with Url Rewriting