Skip to content

Session created by Tomcat

I am learning session with servlets and i read in the book that to create a session we need to call as below.

HttpSession session = request.getSession()

This causes the web container to create a session ID and send it back to client so that client can attach it with every subsequent request to the server. When i open developer tools in chrome under request headers in network tab i do see a cookie header.


Below is what i did in my login servlet

package shop;

import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import javax.servlet.http.HttpServletRequest;


import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;

public class LoginServlet extends HttpServlet{
    public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
        String uid = request.getParameter("uid");
        String password = request.getParameter("pwd");
        if(uid.equals("admin") && password.equals("admin"))
            HttpSession session = request.getSession();
            response.getWriter().println("Invalid Credentials");
    public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
        this.doGet(request, response);



<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
<!DOCTYPE html>
<meta charset="ISO-8859-1">
<title>shopping application</title>
<body style="background-color:cyan">
<div style="text-align:center">
<h3>Welcome to Mart</h3>
<form action="login" method="post" name="loginform">
    <div style="padding:2px;">
        <label for="uid">Username:</label>
        <input type="text" id="uid" name="uid">
    <div style="padding:2px;">
        <label for="pwd">Password:</label>
        <input type="password" name="pwd" id="pwd">

    <input type="submit" value="Login">

My question is that even if i remove the getSession() call i still see the cookie in the network tab. Is there a default session associated with every request by tomcat?



On Tomcat sessions are established lazily, when they are needed. There are basically a couple of situations where sessions are created:

  • if you call request.getSession() or request.getSession(true) a session is always established,
  • if you authenticate users against Tomcat’s user database a session might be created depending on the authentication method. Most notably if you use form authentication (see this tutorial) a session is always established,
  • JSP pages create sessions unless you add the <%page session="false"%> directive (see Why set a JSP page session = “false” directive?).

Browsers remember cookies, so the presence of a JSESSIONID is not an indication of the presence of a session (it might be there from a previous test). To test for a presence of a session use request.getSession(false). For example:

   protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
      final boolean establishSession = req.getParameter("withSession") != null;
      try (final PrintWriter writer = resp.getWriter()) {
         final String requestedSessionId = req.getRequestedSessionId();
         final HttpSession possibleSession = req.getSession(establishSession);
         writer.append("I requested a session with id: ")//
               .append("nI have a session with id: ")
               .append(possibleSession != null ? possibleSession.getId() : null)

Edit: I added the case of a JSP page creating sessions.

2 People found this is helpful