Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Sessions without cookies

 
G Alexanders
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I would like to create and maintain a session without relying on a visitor accepting that a cookie be stored on his or her computer - and without a visitor even maybe being prompted to accept one. Granted, I can encode the URL to which I want to direct the vistor with HttpResponse's encodeURL method and, therefore, not depend on a cookie to maintain any established session. Given that--using this method--the program does not need a cookie stored on the visitor's computer, I would like the visitor to never even be asked to accept one. But with even just . . .

. . . in the servlet, a visitor (whose browser is set neither to accept nor to reject all cookies) is potentially bothered with a question like: "the site localhost:8080 wants to set a cookie - do you accept?" How can I avoid visitors being annoyed with a question like this, given that the program will maintain any established sessions reqardless of cookies being accepted or not?
 
Adeel Ansari
Ranch Hand
Posts: 2874
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We can use HttpSession without cookies. Some reading required.
 
Eugene Lucash
Ranch Hand
Posts: 77
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have discovered that prevention of using cookies for session identification
is not defined in Servet Api spec. And it is server specific (or vendor specific). For example in Caucho Resin server you can
do something like this
<web-app id='/'>
...
<session-config>
<enable-cookies>false</enable-cookies>
<enable-url-rewriting>true</enable-url-rewriting>
</session-config>
...
</web-app> in deployment descriptor
But it doesn't work in other server. (or wowks ins ome other way)

I think there is way to do some manual hacking , clearing Cookies using Filter api or something similar (or even Session Listeners). There are some properties on Session api too (like HTTPServetRequest.isRequestedSessionIdFromCookie()).

So it's not trivial task
 
G Alexanders
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you, Eugene for pointing me in the direction of my servlet engine. It had not occurred to that this would be vendor-specific. I'll look again at Tomcat configuration.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic