This week's book giveaway is in the OCAJP forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide 1Z0-808 and have Jeanne Boyarsky & Scott Selikoff on-line! See this thread for details.
if I use HttpSession to carry objects through a few JSp pages and servlet, action classes, etc, does request.getSession() always return me with the same session I created in the previous page(s) ? I mean, I want to make sure this session is the same, and more importantly, NOT shared. Do I need to do anything to make sure this assumption is valid ?
Session persistence will be transparent as long as your user has session-cookies set to ON in her browser.
If you want to make sure, the paranoids that have even session-cookies OFF, won't spoil your beautiful concept, then there is a little more work involved.
For this case you have to do a little URL rewriting with the encodeURL of the HttpServletResponse object.
public java.lang.String encodeURL(java.lang.String url)
Encodes the specified URL by including the session ID in it, or, if encoding is not needed, returns the URL unchanged. The implementation of this method includes the logic to determine whether the session ID needs to be encoded in the URL. For example, if the browser supports cookies, or session tracking is turned off, URL encoding is unnecessary.
For robust session tracking, all URLs emitted by a servlet should be run through this method. Otherwise, URL rewriting cannot be used with browsers which do not support cookies.
Parameters: url - the url to be encoded. Returns: the encoded URL if encoding is needed; the unchanged URL otherwise.
In addition to that, make sure you understood, that there are not several instances of you servlet (or jsp page).
There is always exactly _one_ instance and you share this instance with all other current users. Concurrent usage is handled by leading multiple threads through this instance. This can be quite fun if you expect a field to be in the state you left it on your previous visit, but had visitors in the meantime.
Joined: Dec 16, 2003
Thanks. Now, I am concerned about whether I should use encodeURL() ! The situation for me is --- In the web application I will NOT use any cookie for security reason. My web application is just several JSP pages conncected by some Action classes and a central dispatching servlet. The way I do page switch is to use "forward()" for most of the time and occasionally use "sendRedirect()". Do I really need to use encodeURL and when ?