I would like to create and maintain a session without relying on a visitor accepting that a cookie be stored on his or her computer - and without a visitor even maybe being prompted to accept one. Granted, I can encode the URL to which I want to direct the vistor with HttpResponse's encodeURL method and, therefore, not depend on a cookie to maintain any established session. Given that--using this method--the program does not need a cookie stored on the visitor's computer, I would like the visitor to never even be asked to accept one. But with even just . . .
. . . in the servlet, a visitor (whose browser is set neither to accept nor to reject all cookies) is potentially bothered with a question like: "the site localhost:8080 wants to set a cookie - do you accept?" How can I avoid visitors being annoyed with a question like this, given that the program will maintain any established sessions reqardless of cookies being accepted or not?
I have discovered that prevention of using cookies for session identification is not defined in Servet Api spec. And it is server specific (or vendor specific). For example in Caucho Resin server you can do something like this <web-app id='/'> ... <session-config> <enable-cookies>false</enable-cookies> <enable-url-rewriting>true</enable-url-rewriting> </session-config> ... </web-app> in deployment descriptor But it doesn't work in other server. (or wowks ins ome other way)
I think there is way to do some manual hacking , clearing Cookies using Filter api or something similar (or even Session Listeners). There are some properties on Session api too (like HTTPServetRequest.isRequestedSessionIdFromCookie()).
So it's not trivial task
Joined: Feb 21, 2005
Thank you, Eugene for pointing me in the direction of my servlet engine. It had not occurred to that this would be vendor-specific. I'll look again at Tomcat configuration.