Win a copy of Svelte and Sapper in Action this week in the JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Bear Bibeault
  • Junilu Lacar
Sheriffs:
  • Jeanne Boyarsky
  • Tim Cooke
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • salvin francis
  • Frits Walraven
Bartenders:
  • Scott Selikoff
  • Piet Souris
  • Carey Brown

doubt in session management in jsp

 
Ranch Hand
Posts: 40
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,

Actually I am drawing a parallelism between servlet session management and
jsp session management . In servlet we write HttpSession session = req.getSession(); and if we generate a response and the client accepts cookies
then the session id is passed on to the client and any subsequent request will
have that session id.Now, if we have to use that particular session
in some other servlet we write HttpSession session = req.getSession();
In servlet we have the option of keeping a request in the same session
or not If we don't write HttpSession session = req.getSession(); that means
we want from this point the request to be out of the session we are using.


Now, my question is:-
As, the session object is by default available in every jsp,I was thinking
if we need to invalidate session explicitly or write session="false" in page directive if we don't want subsequent requests to be considered under a single session .

Another question is in jsp we don't need to write HttpSession session = req.getSession();Any response generated by a jsp will pass the cookie hence the session id to client by default as session object is by default available.

am I right?

Thanks in advance
Dilip
 
Sheriff
Posts: 13411
Firefox Browser VI Editor Redhat
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Originally posted by Dilip Mallik:

In servlet we have the option of keeping a request in the same session
or not If we don't write HttpSession session = req.getSession(); that means
we want from this point the request to be out of the session we are using.



This isn't exactly right.
Once you call getSession, the session object the first time the session is created. The session won't be discontinued if a subsequent request fails to call getSession. If getSession is never called, the container won't instanciate the session object.
In other words, there is no way to 'discontinue' using a session.

The closest thing you could do is call HttpSession.invalidate() which will end that session, causing a new one to be created if, in a subsequent request, getSession is called again.



Now, my question is:-
As, the session object is by default available in every jsp,I was thinking
if we need to invalidate session explicitly or write session="false" in page directive if we don't want subsequent requests to be considered under a single session .



JSPs are compiled into servlet code by your container when they're first hit. By default, the generated code contains a call to getSession unless
you add the session="false" directive to your JSP.

Adding session="false" to another JSP will not invalidate your session.
It will (just like with a servlet that never calls getSession) simply keep that JSP from causing the container to create a session.

If you want to invalidate a session, you would call session.invalidate().

Another question is in jsp we don't need to write HttpSession session = req.getSession();Any response generated by a jsp will pass the cookie hence the session id to client by default as session object is by default available.



Correct.
As mentioned earlier, the generated servlet code will, by default, contain a call to getSession in order to supply the JSP with implicit 'session' variable. That is, unless you add the session="false" directive.

Two things you might want to check out.
1.) The specs for both Servlets and JSP.
There are links to both in my signature.

2.) Your JSP's generated servlet code.
Depending on your container, you might need to alter the configuration in order to keep this around.
You don't with the Tomcat application server.
The generated servlet code will be under the tomcat/work/org/apache/jsp directory.
Try creating a small JSP, hitting it, and then viewing the generated servlet code. Then add the session="false" directive, hit it again, and compare the new servlet code to the old.
 
and POOF! You're gone! But look, this tiny ad is still here:
the value of filler advertising in 2020
https://coderanch.com/t/730886/filler-advertising
    Bookmark Topic Watch Topic
  • New Topic