wood burning stoves 2.0*
The moose likes Servlets and the fly likes Shopping carts and sessions and cookies, oh my! Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of The Java EE 7 Tutorial Volume 1 or Volume 2 this week in the Java EE forum
or jQuery UI in Action in the JavaScript forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Shopping carts and sessions and cookies, oh my!" Watch "Shopping carts and sessions and cookies, oh my!" New topic
Author

Shopping carts and sessions and cookies, oh my!

C Martes
Greenhorn

Joined: Sep 21, 2010
Posts: 6
I'm trying get better clarity on the use of cookies in session management. Sorry for such a long post.

I understand (reasonably well) the pros and cons of using cookies vs URL rewriting for session management. I also have an ok understanding of how to code URL rewrites into the tags to ensure that backup method is correctly used.

My question is how things should be handled if one chooses to rely ONLY on cookies. One of the disadvantages of URL rewriting is security related (and not the purpose of my post).

Here's an example of the behavior I'm interested in duplicating. I was working through a Java tutorial last night and as part of the tutorial, I was instructed to disable cookies in my browser. So I did that and went on with the tutorial. I tabbed over to check my email (Google Apps Gmail) and my mailboox had already been redirected to a new screen telling me that I had to turn cookies on.

So Google seems to have a "listener", always listening for whether cookies are enabled and the minute it detects that they aren't it redirects program flow to notify the user.

My application that I'm working through is a standard eCommerce application. What I'm wondering is how to employ a cookies-only approach to session management. I'll politely request that you not try to convince me otherwise...I may still use URL rewriting as a backup. The purpose of my question is to learning about how to monitor whether cookies are enabled.

So, one method I thought of was to have a servlet whose sole job is to detect whether cookies are enabled, maybe using a method I'd write like CheckCookiesEnabled(). It could do this by writing a test cookie and reading it. Then, prior to any action that depends on continuity of the session, I call that method first. If cookies are still enabled, I let flow continue on to the intended action. If not, I redirect to a Google-like page that asks the user to turn cookies back on.

But this seems awfully tedious.

Then I thought about doing this just on the root url and treat it like a "gate". Users would only get thru the gate if cookies were enabled. The problems I saw with this option though are (A) what if a user bookmarks a page beyond the gate and has cookies disabled and (B) what if a user turns cookies off after passing the gate.

So it seems that to have a really robust application, I'd need to always know for sure that cookies are enabled.

Would an appropriate strategy be to assume that cookies are enabled and, whenever I need to store something in the session, use the request.getSession(false) method? If it returns not-null, I can continue on with program flow (knowing that cookies are enabled, because they HAVE to be enabled for the incoming request to be assosiated with an existing session, right?). If it returns null, I could at that point check whether cookies are enabled with my CheckCookiesEnabled() method.
Abimaran Kugathasan
Ranch Hand

Joined: Nov 04, 2009
Posts: 2066

You don't need a separate method to check whether the client accepts cookies. What's actually happens : When the Container sees you call request.getSession(), and realizes it needs to start a new with this client, the Container sends the response with both a "Set-Cookie" header for the session ID, and the session ID appened to the URLs (if you've done response.encodeURL()).

In the next request from this client, it will have the session ID appened to the request URL, but if the client accepts cookies, the request will ALSO have a session ID cookie. When the servlet calls request.getSession(), the Container reads the session ID from the request, finds the session, and thinks to itself, "This client accepts cookies, so I can ignore the response.encodeURL() calls".


|BSc in Electronic Eng| |SCJP 6.0 91%| |SCWCD 5 92%|
C Martes
Greenhorn

Joined: Sep 21, 2010
Posts: 6
Thanks Abimaran. Clarification question though:

- we call request.getSession() --> session created
- container sends response with session ID (but let's say we don't use response.encodeURL()).
- user doesn't accept cookies so no cookie written
- In the next request from the client, the session ID is not in the header and no cookie is sent
- the next call to request.getSession() just starts the process all over again

In this scenario, the state never gets "conversational". I follow your logic when you use URL Rewriting. But if you don't use that backup method, it seems that somewhere in the flow you have to have a "check" to see whether cookies are being saved. Otherwise, in something like a shopping cart, the app would never remember what's been added.

So I guess the question is, if one chooses not to use URL rewriting (and doesn't use client-side testing with something like JavaScript), how/where would one test for and notify the user about the need for them to enable cookies?

Thanks in advance.
Harpreet Singh janda
Ranch Hand

Joined: Jan 14, 2010
Posts: 317

In that case you can check for the jsession cookie. If cookie does not exists that means cookies are disabled.
C Martes
Greenhorn

Joined: Sep 21, 2010
Posts: 6
Unless the visitor has just arrived at the site, right? Their first page request will not have the cookie, but that doesn't mean that cookies are disabled.

So if you get a request that has no cookie, EITHER the visitor just arrived at the site OR they have cookies disabled (or both). But to know for sure, don't you require an added check?
Abimaran Kugathasan
Ranch Hand

Joined: Nov 04, 2009
Posts: 2066

I think, there are no way other than using URL re-writing!
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61084
    
  66

C Martes wrote:But this seems awfully tedious.

Sometimes life is tedious. If you want to be sure that cookies are enabled, you have to check for them. Anything else is just a guess.

[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
C Martes
Greenhorn

Joined: Sep 21, 2010
Posts: 6
By tedious, I meant that because I'm new at Java, it seemed plausible that what I came up with on my own was less-than-optimal. I don't mind doing the work if it's the appropriate way to do it. I was just hoping for an opinion on an appropriate method (maybe either validation that my suggestion seemed appropriate or a suggested improvement).

Thanks in advance if any of you can recommend one (and thanks for the other replies too).
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61084
    
  66

Set a cookie, and then see if it has been set. This requires a round-trip to the client and back. You can't check on the very first request.

It has nothing really to do with Java, but with HTTP.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Shopping carts and sessions and cookies, oh my!