This week's book giveaways are in the Java EE and JavaScript forums.
We're giving away four copies each of The Java EE 7 Tutorial Volume 1 or Volume 2(winners choice) and jQuery UI in Action and have the authors on-line!
See this thread and this one for details.
The moose likes Servlets and the fly likes session management -cookie disabled Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of The Java EE 7 Tutorial Volume 1 or Volume 2 this week in the Java EE forum
or jQuery UI in Action in the JavaScript forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "session management -cookie disabled" Watch "session management -cookie disabled" New topic
Author

session management -cookie disabled

thomas davis
Ranch Hand

Joined: Feb 01, 2003
Posts: 207
Hi All,
In case of disabling cookies by user, would it affect the session management? Suppose if I handled the session using session.setAttribute () and session.getAttribute of HttpSession, and user switched off cookies what would happen to my data stored in the session? Does their state persist through out the session or would it remove from the session? If that is the case what could be the best solution for the data persistence?
Your answers would be highly appreciated.
Thanks in advance.
Fisher Daniel
Ranch Hand

Joined: Sep 14, 2001
Posts: 582
If user's browser disable cookies, every request from users will be known as new session...
You can change the mothod using URL Rewriting...
Correct me if i am wrong
daniel
R K Singh
Ranch Hand

Joined: Oct 15, 2001
Posts: 5371
Servlet engine will automaticaly take care if cookies are disabled and use URL rewriting.
To know whether engine is using cookie or URL re-writing for sesssion tracking. there are methods in request.
isSessionByCookie and isSessionByURLrewrite..
THese are not exact name .. check it out in API.


"Thanks to Indian media who has over the period of time swiped out intellectual taste from mass Indian population." - Chetan Parekh
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12769
    
    5
Use of URL rewriting is NOT automatic - you the programmer must decide which URLs are to be run through the encodeURL method to have the sessionID encoded.
See the HttpServletResponse.encodeURL method.
Bill
R K Singh
Ranch Hand

Joined: Oct 15, 2001
Posts: 5371
Originally posted by William Brogden:
...the encodeURL method to have the sessionID encoded.

java.lang.String encodeURL(java.lang.String url)
Encodes the specified URL by including the session ID in it, or, if encoding is not needed, returns the URL unchanged.
thomas davis
Ranch Hand

Joined: Feb 01, 2003
Posts: 207
Thanks for your reply and the insights into the session management.
I am using WebSphere as my webserver and by default the websphere used(enabled) cookie-based session tracking in its configuration file, where the session id is saved on the client in a persistent cookie. I know that Websphere also supports session tracking based on URL rewriting, as fallback for browsers do not accept cookies.
But when I tried to change the default setting of Websphere server for session tracking from Cookie-based to URL Rewriting-based.And I also disabled the cookies on my browser. I found an interesting thing that my application is not functioning properly. I used session from the base servlet itself (all servlets extending from the base servlet) .Now my session tracking is done by server using URL rewriting-based background process. And I also rewritten every local URL before sending it to the client using HttpServletResponse.encodeURL (String url). Unfortunately the data I put it in session not persisted while navigating back and forth. And It is not going from very first screen to next screen, it is giving session timed out screen instead (all pages will be redirected to this particular page, if there is no session or session inactive interval is gone beyond what we set it). Is it problem of WebSphere Server? If not what I can do for persisting my data when user turned off cookies? I missed one valid point that I am using HttpSession for session tracking in my application.
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12769
    
    5
I used session from the base servlet itself (all servlets extending from the base servlet) .Now my session tracking is done by server using URL rewriting-based background process. And I also rewritten every local URL before sending it to the client using HttpServletResponse.encodeURL (String url).

There are a couple of points there that concern me. How can you "use session from the base servlet"? that sounds like you are using an instance variable.
Also - how can you have a "URL rewriting-based background process?" - rewriting requires the sessionID unique to a given user.
Bill
thomas davis
Ranch Hand

Joined: Feb 01, 2003
Posts: 207
Quote :
There are a couple of points there that concern me. How can you "use session from the base servlet"? that sounds like you are using an instance variable.
Also - how can you have a "URL rewriting-based background process?" - rewriting requires the sessionID unique to a given user.
Bill

There are a couple of points there that concern me. How can you "use session from the base servlet"? that sounds like you are using an instance variable.
Also - how can you have a "URL rewriting-based background process?" - rewriting requires the sessionID unique to a given user.
Bill
This is my base servlet :
public abstract class MainController extends HttpServlet {

public MainController() {
super();
}
public void doGet(HttpServletRequest req, HttpServletResponse res) throws javax.servlet.ServletException, java.io.IOException
{
HttpSession session = null;

try
{
session = req.getSession(false);
if(session == null)
{

PrintWriter out=res.getWriter();
res.setContentType("text/html");
}

else
{
session = req.getSession(true);
session.setMaxInactiveInterval(IRfxConstants.SESSION_TIME_OUT);
doProcess(req, res);
}


}
catch(Exception e)
{
String errMsg = e.getMessage();
System.out.println("Error ! "+e.toString());
req.setAttribute("errMessage",errMsg);
RequestDispatcher rd = getServletContext().getRequestDispatcher(IRfxConstants.ERROR_PAGE);
rd.forward(req,res);
}
}
public void doPost(HttpServletRequest req, HttpServletResponse res) throws javax.servlet.ServletException, java.io.IOException
{
doGet(req,res);
}
public void init(ServletConfig config) throws ServletException
{
super.init(config);
}

public abstract void doProcess(HttpServletRequest req, HttpServletResponse res) throws Exception;
}
1st Point) This is my base servlet and I am extending this servlet to all my other servlets, In this servlet, I am declaring the session like this, session = req.getSession (false);

2nd Point) that was the option given by the web server, if you go to config file of WebSphere, you can see two options, one is session management based on cookie, value of this attribute set to true by default. If I disable the cookie on my browser, my application is not saving the data in the session. I think this option will not work if user turned off cookies.At any cost I have to go for other option.
There is another option called UrlRewritng in WebSphere value of this attribute set to false by default. According to theory if I turned UrlRewriting "true",I have a question whether this will be helpful for the persistence of my data,evenif the user turn off cookie from browser.
I will tell you what I have tried:
1 step) Turned URLREWRITING OPTION OF websphere turned to true and COOKIE option turned to false
2 step) Turned cookie off from my browser
3 step) I encoded all url using
But efforts went in vain. No persistence.
Can you please tell me how to achieve session tracking using HttpSession and WebSphere´┐Żs features? This should work in case of user turned off cookies on browser.
Nidhi Gupta
Greenhorn

Joined: Apr 09, 2003
Posts: 2
Originally posted by thomas davis:
Hi All,
In case of disabling cookies by user, would it affect the session management? Suppose if I handled the session using session.setAttribute () and session.getAttribute of HttpSession, and user switched off cookies what would happen to my data stored in the session? Does their state persist through out the session or would it remove from the session? If that is the case what could be the best solution for the data persistence?
Your answers would be highly appreciated.
Thanks in advance.
Nidhi Gupta
Greenhorn

Joined: Apr 09, 2003
Posts: 2
i am just trying to figure out how a discussion forum is designed..Please don mind this.

Originally posted by thomas davis:
Hi All,
In case of disabling cookies by user, would it affect the session management? Suppose if I handled the session using session.setAttribute () and session.getAttribute of HttpSession, and user switched off cookies what would happen to my data stored in the session? Does their state persist through out the session or would it remove from the session? If that is the case what could be the best solution for the data persistence?
Your answers would be highly appreciated.
Thanks in advance.
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12769
    
    5
When you extend that base servlet, do you override doGet and doPost? What exactly are you trying to gain by having a base servlet class? Remember, you can't use instance variables for user specific data.
I know we have some Websphere experts around here maybe one will respond - I have no idea what that parameter implies.
Bill
thomas davis
Ranch Hand

Joined: Feb 01, 2003
Posts: 207
Quote Bill
----------------------------
When you extend that base servlet, do you override doGet and doPost? What exactly are you trying to gain by having a base servlet class? Remember, you can't use instance variables for user specific data.
I know we have some Websphere experts around here maybe one will respond - I have no idea what that parameter implies.
----------------------------
I have one abstract method public abstract void doProcess(HttpServletRequest req, HttpServletResponse res) throws Exception; in my base servlet I am overriding this method in all my servlets.
So that I can handle session time out and error handling at one place.
I do not understand ,how session variable become instance variable in my base servlet?
I declared that variable in doGet Method of the base servlet.
thomas davis
Ranch Hand

Joined: Feb 01, 2003
Posts: 207
Quote
------------------------------
I know we have some Websphere experts around here maybe one will respond - I have no idea what that parameter implies.
Bill
---------------------------------
I am wondering why are people and other experts not responding to the above question?
Geoffrey Falk
Ranch Hand

Joined: Aug 17, 2001
Posts: 171
    
    1
I am having a problem with URL rewriting. I am using Struts tags to do the rewriting automatically, and the jsessionid gets appended to the URL. The problem is that Tomcat doesn't recognize the jsessionid in the URL. Consequently my application does not preserve its session.
This is with Struts 1.0.2 and Tomcat 4.1.24.
I am using port 8080 (Tomcat's built-in server), so it is not a problem with the Apache connector.
Sessions work perfectly if cookies are enabled.
Can someone please give me an insight into this problem.
Thanks
Geoffrey


Sun Certified Programmer for the Java 2 Platform
Geoffrey Falk
Ranch Hand

Joined: Aug 17, 2001
Posts: 171
    
    1
Sorry for 1) appending a new question to an existing thread, and 2) answering my own question
Anyways, I solved my problem. Turns out it was related to frames. I was loading the main frame properly, but not using URL rewriting on the individual frames called from the main frame.
Geoffrey
--
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12769
    
    5
I have one abstract method public abstract void doProcess(HttpServletRequest req, HttpServletResponse res) throws Exception; in my base servlet I am overriding this method in all my servlets.

So basically your doGet ensures that the request has a session and sets a timeout, but then passes the request and response to the doProcess in your real servlet class. OK, I was not clear on why you did it that way but it should work.
Maybe you should try your WebSphere configuration question in the IBM/Websphere discussion area.
I think that if I had your problem, the first thing I would do is log more information about the request in your doGet - before it calls doProcess. The next thing I would do is examine exactly what your servlet is writing to the browser using "view source" and if that does not reveal the problem I would spy on the response headers.
Bill
Kyle Brown
author
Ranch Hand

Joined: Aug 10, 2001
Posts: 3892
    
    5
Originally posted by William Brogden:
When you extend that base servlet, do you override doGet and doPost? What exactly are you trying to gain by having a base servlet class? Remember, you can't use instance variables for user specific data.
I know we have some Websphere experts around here maybe one will respond - I have no idea what that parameter implies.
Bill

Hi Bill -- the idea of a base servlet is a common enough one. I generally suggest it too in cases where doPost() and doGet() will be handled the same, and if there is any application-common handling (like the exception handling idea he mentioned).
Now, on to the original question -- Bill was right the first time. It doesn't matter if you turn URL Rewriting on in WebSphere; if you do not ALSO use the encodeURL() method on ALL of your URL's session URL rewriting won't work. The idea behind URL rewriting is that every URL that's sent to the Servlet has a Session id parameter tacked on -- that's what the encodeURL() method adds to a URL. So you have to use that method EVERYWHERE you output a URL that points back to you -- in your JSPs and your servlets both. So, if you have a reference to a URL in an HTTP page as part of a FORM, you need to change that HTTP page to a JSP page and wrap that URL in the encodeURL() method.
This is covered IN DEPTH in the WebSphere InfoCenter. You should probably go check that out too.
Kyle


Kyle Brown, Author of Persistence in the Enterprise and Enterprise Java Programming with IBM Websphere, 2nd Edition
See my homepage at http://www.kyle-brown.com/ for other WebSphere information.
thomas davis
Ranch Hand

Joined: Feb 01, 2003
Posts: 207
Quote Thomas Davies .................................................
1 step) Turned URLREWRITING OPTION OF websphere turned to true and COOKIE option turned to false
2 step) Turned cookie off from my browser
3 step) I encoded all url using
But efforts went in vain. No persistence
The above statements have been pasted in all my posts.
Quote Kyle
.............................................................................
on -- that's what the encodeURL() method adds to a URL. So you have to use that method EVERYWHERE you output a URL that points back to you -- in your JSPs and your servlets both. So, if you have a reference to a URL in an HTTP page as part of a FORM, you need to change that HTTP page to a JSP page and wrap that URL in the encodeURL() method.
..........................................................................................
Hi Kyle ,
I tried to do it in my all jsps and servlets and I do not have any HTML page in between. When I navigate from very first page to next page, not able to preserve my session.
I am not able to figure out the problem, this occurs only when I switched off cookies from my browser. Please add some insight on it that will be greatly appreciated.
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12769
    
    5
When you "view source" for a page that supposedly has all of the URLs encoded, do the URLs look right? Are all of the URLs involved part of the same "web application"?
Bill
[ April 14, 2003: Message edited by: William Brogden ]
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
 
subject: session management -cookie disabled