File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Servlets and the fly likes JSESSIONID question Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "JSESSIONID question" Watch "JSESSIONID question" New topic


Sagar Salapaka

Joined: Feb 06, 2002
Posts: 12
Can anyone explain why my JSESSIONID cookie does not change even if I logoff [calls ] and log back in to the application?
David O'Meara

Joined: Mar 06, 2001
Posts: 13459

Well it should, but in truth it doesn't have to.
Firstly, don't confuse logging off with invalidating the session. Invalidate can often cause a logoff or behaviour similar to it, but they aren't the same.
The session id is just a tag to associate requests to a client and therefore introduce some state to the server. A client can send an invalid session id, as long as the server doesn't do anything with it, there's no problem. If someone has a valid session id then it is invalidated, the session is no longer valid, but there is no reason the same id can't be retained. If the person then starts a new session, it is OK for the server to see this ID and reuse it.
In practice, I think this behaviour would be specific to the server you are using. It's valid, but far to specific for all servers to do it. Never make any assumptions on sessions or session ids, they tend to be slightly different on each server.
Sagar Salapaka

Joined: Feb 06, 2002
Posts: 12
Well explained. Thanks!
I agree. Here's the link:
subject: JSESSIONID question
It's not a secret anymore!