File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Servlets and the fly likes always only ONE session ? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "always only ONE session ?" Watch "always only ONE session ?" New topic
Author

always only ONE session ?

Frank Sikuluzu
Ranch Hand

Joined: Dec 16, 2003
Posts: 116
if I use HttpSession to carry objects through a few JSp pages and servlet, action classes, etc, does request.getSession() always return me with the same session I created in the previous page(s) ? I mean, I want to make sure this session is the same, and more importantly, NOT shared. Do I need to do anything to make sure this assumption is valid ?
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61766
    
  67

You do not create the session -- it is created on your behalf by the container. Yes, it will persist across requests (unless or until it times out), and no, it will not be shared.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Jeffrey Spaulding
Ranch Hand

Joined: Jan 15, 2004
Posts: 149
Session persistence will be transparent as long as your user has session-cookies set to ON in her browser.

If you want to make sure, the paranoids that have even session-cookies OFF, won't spoil your beautiful concept, then there is a little more work involved.

For this case you have to do a little URL rewriting with the encodeURL of the HttpServletResponse object.



encodeURL

public java.lang.String encodeURL(java.lang.String url)

Encodes the specified URL by including the session ID in it, or, if encoding is not needed, returns the URL unchanged. The implementation of this method includes the logic to determine whether the session ID needs to be encoded in the URL. For example, if the browser supports cookies, or session tracking is turned off, URL encoding is unnecessary.

For robust session tracking, all URLs emitted by a servlet should be run through this method. Otherwise, URL rewriting cannot be used with browsers which do not support cookies.

Parameters:
url - the url to be encoded.
Returns:
the encoded URL if encoding is needed; the unchanged URL otherwise.




In addition to that, make sure you understood, that there are not several instances of you servlet (or jsp page).

There is always exactly _one_ instance and you share this instance with all other current users. Concurrent usage is handled by leading multiple threads through this instance. This can be quite fun if you expect a field to be in the state you left it on your previous visit, but had visitors in the meantime.

J.
Frank Sikuluzu
Ranch Hand

Joined: Dec 16, 2003
Posts: 116
Thanks. Now, I am concerned about whether I should use encodeURL() ! The situation for me is --- In the web application I will NOT use any cookie for security reason. My web application is just several JSP pages conncected by some Action classes and a central dispatching servlet. The way I do page switch is to use "forward()" for most of the time and occasionally use "sendRedirect()". Do I really need to use encodeURL and when ?

thanks.
Sharad Agarwal
Ranch Hand

Joined: Sep 11, 2002
Posts: 167
Originally posted by Frank Sikuluzu:
In the web application I will NOT use any cookie for security reason.


I am not sure I understand this requirement. You don't want to use cookies as that is a security threat, but you are fine with placing the same information in the URL?


Alco-Haul: We move spirits.
Demented Deliberations of a Dilettante
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61766
    
  67

Ditto. What security risk do you think you are avoiding?
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: always only ONE session ?