Hi all I have read the servlet specifications and there are a few points I'm quite confused regarding session. From what I have read, it seem that to support session management, you can do either (1) cookies or (2) url rewriting e.g. http://...;jsessionid=1234. Normally when we need to get/create a session, we need to use something like HttpServletRequest.getSession(); within the servlet. Does this method still works if the site is http (not https) without the above rewritting ? I thought it should not be working as http is a stateless protocol ? I have created a small servlet using the getSession() and it worked. Is this due to cookies or the browser handles the jessionid automatically ? Thanks in advance.
http is stateless, that is why you "add" statefulness with cookies or URL re-writing. https is stateful so you dont need (in theory) cookies or URL re-writing -- the protocol itself does all that. In practice you dont normally need to worry about it, as the app-server should handle it all for you transparently.