File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Servlets and the fly likes Sessions without cookies Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Sessions without cookies" Watch "Sessions without cookies" New topic

Sessions without cookies

G Alexanders

Joined: Feb 21, 2005
Posts: 2
I would like to create and maintain a session without relying on a visitor accepting that a cookie be stored on his or her computer - and without a visitor even maybe being prompted to accept one. Granted, I can encode the URL to which I want to direct the vistor with HttpResponse's encodeURL method and, therefore, not depend on a cookie to maintain any established session. Given that--using this method--the program does not need a cookie stored on the visitor's computer, I would like the visitor to never even be asked to accept one. But with even just . . .

. . . in the servlet, a visitor (whose browser is set neither to accept nor to reject all cookies) is potentially bothered with a question like: "the site localhost:8080 wants to set a cookie - do you accept?" How can I avoid visitors being annoyed with a question like this, given that the program will maintain any established sessions reqardless of cookies being accepted or not?
Adeel Ansari
Ranch Hand

Joined: Aug 15, 2004
Posts: 2874
We can use HttpSession without cookies. Some reading required.
Eugene Lucash
Ranch Hand

Joined: Feb 19, 2005
Posts: 77
I have discovered that prevention of using cookies for session identification
is not defined in Servet Api spec. And it is server specific (or vendor specific). For example in Caucho Resin server you can
do something like this
<web-app id='/'>
</web-app> in deployment descriptor
But it doesn't work in other server. (or wowks ins ome other way)

I think there is way to do some manual hacking , clearing Cookies using Filter api or something similar (or even Session Listeners). There are some properties on Session api too (like HTTPServetRequest.isRequestedSessionIdFromCookie()).

So it's not trivial task
G Alexanders

Joined: Feb 21, 2005
Posts: 2
Thank you, Eugene for pointing me in the direction of my servlet engine. It had not occurred to that this would be vendor-specific. I'll look again at Tomcat configuration.
I agree. Here's the link:
subject: Sessions without cookies
It's not a secret anymore!