aspose file tools*
The moose likes Servlets and the fly likes Who all can access HttpSession and/or its attributes ? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Who all can access HttpSession and/or its attributes ?" Watch "Who all can access HttpSession and/or its attributes ?" New topic
Author

Who all can access HttpSession and/or its attributes ?

Chanakya Gupta
Ranch Hand

Joined: May 23, 2010
Posts: 34

The ServletContext(with attributes) - everyone in the application has access.
The HttpSession(with attributes) - who has access ? Can someone clear my doubt ?
Thankyou very much in advance.
Dieter Quickfend
Ranch Hand

Joined: Aug 06, 2010
Posts: 359
The user whose jsessionid corresponds to the HttpSession object.


Oracle Certified Professional: Java SE 6 Programmer
Oracle Certified Expert: Java EE 6 Web Component Developer
Oracle Certified Expert: Java EE 6 Enterprise JavaBeans Developer
Chanakya Gupta
Ranch Hand

Joined: May 23, 2010
Posts: 34

Thankyou Dieter !
Upon trying an example, I feel all those Servlets/JSPs have access to 'a session'
who have access to the same request. Because, it is request.getSession();

But, there is a HttpSessionEvent.getSession() also. So those Servlets/JSPs/classes
implementing HttpSessionListener also have access to the same session.

To sum up, all those Servlets/JSPs/classes having same
1. HttpServletRequest
2. HttpSessionListener

Am I right ?
Jubayar hosan
Greenhorn

Joined: Mar 31, 2010
Posts: 3

nice
Dieter Quickfend
Ranch Hand

Joined: Aug 06, 2010
Posts: 359
Chanakya:


No, it's like this:

A request doesn't get you a session. The moment you need to put something in a session, and call the getSession() method on the request object, the container will create a session object for you. This object exists on the server. The container will also send a jsessionid in the response, which is stored in a cookie on the client (if you've got cookies enabled). Then, you will automatically send that jsessionid in the header with every request to the server, so that the container recognizes that you're the user that can speak to that particular session object. This is the container's way of maintaining state.

an HttpSessionListener just listens for certain lifecycle events in any session object, and performs a corresponding action. It has nothing to do with who has access to what.

An HttpSession object can span many requests, and many HttpSessionListeners can be registered for any and all HttpSessions.


Hope that clarifies it a little bit.
Chanakya Gupta
Ranch Hand

Joined: May 23, 2010
Posts: 34

Thankyou Dieter !

So any Servlet/JSP/Class is free to have access
to the 'session' ! Got it, I suppose !
sourabh girdhar
Ranch Hand

Joined: Feb 10, 2010
Posts: 71

Yes Chanakya,

Any Servlet/JSP can get access to session provided they have access to request object.

Just to clear -
A session can be associated with multiple requests from same client. So be clear about concurrency issues while putting objects in session.

Sourabh


SCJP SCWCD AIX SOA
The significant problems we face cannot be solved by the same level of thinking that created them -- Albert Einstein

Chanakya Gupta
Ranch Hand

Joined: May 23, 2010
Posts: 34

Summing up from Dieter and Sourabh,

- multiple requests --> same client --> same sessionid

- any part of the webapp can access this sessionid
(with access to request and event)

- and sessions are not thread-safe.

Thankyou sourabh. Its clearer
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Chanakya Gupta wrote:Summing up from Dieter and Sourabh,

- any part of the webapp can access this sessionid
(with access to request and event)



The part in the parenthesis is important here.
A ServletContextListener, for example, would not be able to access a session.
Likewise the init method in a servlet has no way to access any session information because servlets can be configured to be loaded when the container starts up, before any actual requests have been made.


Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Who all can access HttpSession and/or its attributes ?
 
Similar Threads
Thread Safe Issue
Handling HttpSession
accessing httpsession\httpsession attributes in custom validator
scope of setAttribute() and getAttribute()
Session values of a Backing Bean in JSF