posted 18 years ago
here is some info for you of how session works.
you do have to tell container that you want to create or use a session, but container takes care of generating the session ID, creating new Cookie object, stuffing the session ID into the cookie; and setting the cookie as part of the response.
Container tries to use cookies first. If cookies are disabled container falls back to URL rewriting, but you will have to do extra work of encoding all the URLs.
Keep in mind, if the container doesn't get a session Id from the client, container wouldn't know that this is the next request from the client. The container won't have any way to know that it tried cookies the last time, and they didn't work. THE ONLY way the container can recognize that it has seen this client before is if the client sends a session ID.
Now the next request from this same client, it will have the sessionID appended to the request URL, but if the client accepts cookies, the request will also have a session id cookie. When servlet calls request.getSession(), the container reads the session Id from the request, find the session, and thinks to itself that this client accepts cookie so it ignores request.encodeURL() calls, or else it will use URL rewriting.
You as a developer you shouldn't be bothered whether client has disabled cookies or not, as container by itself will fallback to URL rewriting.
HTH,