Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

JSESSIONID question

 
Sagar Salapaka
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Can anyone explain why my JSESSIONID cookie does not change even if I logoff [calls ] and log back in to the application?
Thanks.
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well it should, but in truth it doesn't have to.
Firstly, don't confuse logging off with invalidating the session. Invalidate can often cause a logoff or behaviour similar to it, but they aren't the same.
The session id is just a tag to associate requests to a client and therefore introduce some state to the server. A client can send an invalid session id, as long as the server doesn't do anything with it, there's no problem. If someone has a valid session id then it is invalidated, the session is no longer valid, but there is no reason the same id can't be retained. If the person then starts a new session, it is OK for the server to see this ID and reuse it.
In practice, I think this behaviour would be specific to the server you are using. It's valid, but far to specific for all servers to do it. Never make any assumptions on sessions or session ids, they tend to be slightly different on each server.
Dave.
 
Sagar Salapaka
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well explained. Thanks!
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic