File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Servlets and the fly likes Session Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Session" Watch "Session" New topic


Kodo Tan
Ranch Hand

Joined: Aug 14, 2001
Posts: 105
Hi all
I have read the servlet specifications and there are a few points I'm quite confused regarding session.
From what I have read, it seem that to support session management, you can do either (1) cookies or (2) url rewriting e.g. http://...;jsessionid=1234.
Normally when we need to get/create a session, we need to use something like HttpServletRequest.getSession(); within the servlet. Does this method still works if the site is http (not https) without the above rewritting ?
I thought it should not be working as http is a stateless protocol ? I have created a small servlet using the getSession() and it worked. Is this due to cookies or the browser handles the jessionid automatically ?
Thanks in advance.
James Hobson
Ranch Hand

Joined: Aug 28, 2001
Posts: 140
http is stateless, that is why you "add" statefulness with cookies or URL re-writing.
https is stateful so you dont need (in theory) cookies or URL re-writing -- the protocol itself does all that.
In practice you dont normally need to worry about it, as the app-server should handle it all for you transparently.
Mike Curwen
Ranch Hand

Joined: Feb 20, 2001
Posts: 3695

Sessions are managed through cookies.

If your browser doesn't support cookies, then URL re-writing is what needs to be done. The session id is then writen into all URLs emmited by your servlet or JSP's.

So the bottom line is, sessions in JSP/Servlet land are *actually* identified by a jsessionid cookie. If a particular client doesn't allow cookies, then this id needs to be written into the URL.
I agree. Here's the link:
subject: Session
It's not a secret anymore!