Passing a session from a servlet to a JSP

Greetings all,

I'm building a webapp using JSP/sessions/servlets. The webapp will have dozens of concurrent users logged in.

login.jsp gets called from a link on the webapp's home page and contains a form that calls servlet process_login.java .
process_login.java uses the username/passwd info from the form to validate against a database and if valid creates a session and stores some values in it:

// a snippet from process_login.java if( user_is_valid) { // session method HttpSession session = request.getSession(); // get or create current session object session.setMaxinactiveInterval(10000); // 10000 seconds session.setAttribute("userID", sqlcol_arry[0]; session.setAttribute("userName", request.getParameter("username")); session.setAttribute("level_of_privilege", sqlcol_arry[1]); response.sendRedirect("myapp_main.jsp"); } else { response.sendRedirect("login_error.jsp"); }

Questions: What should I put in myapp_mail.jsp and/or process_login.java so that myapp_main.jsp finds the session corresponding to the person who just logged in? Does this question make sense? If a new session is created for each valid user there could be dozens of sessions floating around - how would myapp_main.jsp know which one to find and then how would it grab that session?

Comments/hints/suggestions/constructive critisism/links/examples are all welcome.

TIA,

Still-learning Steve

You should google for JSP Session Management to learn a lot of details but basically:

1) When a session is created, the next response to the client sends a Cookie with a unique ID for the session for that client
2) When the client sends each new request from then on, it includes the same Cookie with the session ID for its intended Session
3) Part of the pre-processing of the request done by the server is to find that Cookie with ID and associate the proper Session with the request.

So what do you have to do? Really nothing except call request.getSession() or use the scope=session attribute in tags as appropriate.

But like I said, google for session management to learn more - and what to do to prevent clients that have Cookies turned off from breaking.

OK, I can google for that. I'm striving hard to not make use of cookies. Another way might be for process_login.java to create a Bean, but again how would myapp_main.jsp know which Bean (well, instance of Bean to use?

I'll check on this in a few hrs time, gotta run. Thanks for your input.


Still-learning Steve

Stuart Rogers wrote:OK, I can google for that. I'm striving hard to not make use of cookies. Another way might be for process_login.java to create a Bean, but again how would myapp_main.jsp know which Bean (well, instance of Bean to use?

I'll check on this in a few hrs time, gotta run. Thanks for your input.


Still-learning Steve

Do the google for Session Management. You should find links for 'URL Re-writing', which appends the session id to the end of the URLs as special information. If you plan on not using cookies then this is your only choice.

Stuart Rogers wrote:OK, I can google for that. I'm striving hard to not make use of cookies.

I smell a misunderstanding.

The application server actually makes use of a cookie to make session tracking possible without URL rewriting. Only and only if the client doesn't support cookies, the application server will switch to URL rewriting (jsessionid will be added to the request URL). This way the server will still be able to track the client session.

At any way, to get straight on your question "Passing a session from a servlet to a JSP": the HttpSession is implicitly already available in JSP EL in the form of ${pageContext.session} and its attributes by ${sessionScope.attributeName} or just ${attributeName}.

I would also rather collect all User specific properties together in one User class which you can store as one session attribute, instead of spreading them all out as loose session attributes.

Bauke Scholtz wrote:
The application server actually makes use of a cookie to make session tracking possible without URL rewriting. Only and only if the client doesn't support cookies, the application server will switch to URL rewriting (jsessionid will be added to the request URL). This way the server will still be able to track the client session.

You can usually turn cookies off on the server side as well. For example on Tomcat you can set the Context's cookies attribute to false to force URL rewriting even if the client supports cookies.

Sure. But based on the the knowledge level of the topicstarter I don´t think that he actually turned off cookies on the server.

I was able to get it all working, with a little help from google and my collegues here at JavaRanch.

Thanks to all that replied!

CASE CLOSED

Still-learning Stuart