I am learning session with servlets and i read in the book that to create a session we need to call as below.
HttpSession session = request.getSession()
This causes the web container to create a session ID and send it back to client so that client can attach it with every subsequent request to the server. When i open developer tools in chrome under request headers in network tab i do see a cookie header.
Cookie: JSESSIONID=F92
Below is what i did in my login servlet
package shop;import javax.servlet.http.HttpServletResponse;import javax.servlet.http.HttpSession;import javax.servlet.http.HttpServletRequest;import java.io.IOException;import javax.servlet.ServletException;import javax.servlet.http.HttpServlet;public class LoginServlet extends HttpServlet{ @Override public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { String uid = request.getParameter("uid"); String password = request.getParameter("pwd"); if(uid.equals("admin") && password.equals("admin")) { HttpSession session = request.getSession(); System.out.println(session.getId()); response.sendRedirect("shopping"); } else response.getWriter().println("Invalid Credentials"); } @Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { this.doGet(request, response); }}Index.jsp
<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%><!DOCTYPE html><html><head><meta charset="ISO-8859-1"><title>shopping application</title></head><body style="background-color:cyan"><div style="text-align:center"><h3>Welcome to Mart</h3><form action="login" method="post" name="loginform"> <div style="padding:2px;"> <label for="uid">Username:</label> <input type="text" id="uid" name="uid"> </div> <div style="padding:2px;"> <label for="pwd">Password:</label> <input type="password" name="pwd" id="pwd"> </div> <input type="submit" value="Login"></form></div></body></html>My question is that even if i remove the getSession() call i still see the cookie in the network tab. Is there a default session associated with every request by tomcat?
Advertisement
Answer
On Tomcat sessions are established lazily, when they are needed. There are basically a couple of situations where sessions are created:
- if you call
request.getSession()orrequest.getSession(true)a session is always established, - if you authenticate users against Tomcat’s user database a session might be created depending on the authentication method. Most notably if you use form authentication (see this tutorial) a session is always established,
- JSP pages create sessions unless you add the
<%page session="false"%>directive (see Why set a JSP page session = “false” directive?).
Browsers remember cookies, so the presence of a JSESSIONID is not an indication of the presence of a session (it might be there from a previous test). To test for a presence of a session use request.getSession(false). For example:
@Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { final boolean establishSession = req.getParameter("withSession") != null; try (final PrintWriter writer = resp.getWriter()) { final String requestedSessionId = req.getRequestedSessionId(); final HttpSession possibleSession = req.getSession(establishSession); writer.append("I requested a session with id: ")// .append(requestedSessionId) .append("nI have a session with id: ") .append(possibleSession != null ? possibleSession.getId() : null) .println(); } }Edit: I added the case of a JSP page creating sessions.