I am learning session with servlets and i read in the book that to create a session we need to call as below.
HttpSession session = request.getSession()
This causes the web container to create a session ID and send it back to client so that client can attach it with every subsequent request to the server. When i open developer tools in chrome under request headers in network tab i do see a cookie header.
Cookie: JSESSIONID=F92
Below is what i did in my login servlet
package shop;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
public class LoginServlet extends HttpServlet{
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
String uid = request.getParameter("uid");
String password = request.getParameter("pwd");
if(uid.equals("admin") && password.equals("admin"))
{
HttpSession session = request.getSession();
System.out.println(session.getId());
response.sendRedirect("shopping");
}
else
response.getWriter().println("Invalid Credentials");
}
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
this.doGet(request, response);
}
}
Index.jsp
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html>
<html>
<head>
<meta charset="ISO-8859-1">
<title>shopping application</title>
</head>
<body style="background-color:cyan">
<div style="text-align:center">
<h3>Welcome to Mart</h3>
<form action="login" method="post" name="loginform">
<div style="padding:2px;">
<label for="uid">Username:</label>
<input type="text" id="uid" name="uid">
</div>
<div style="padding:2px;">
<label for="pwd">Password:</label>
<input type="password" name="pwd" id="pwd">
</div>
<input type="submit" value="Login">
</form>
</div>
</body>
</html>
My question is that even if i remove the getSession() call i still see the cookie in the network tab. Is there a default session associated with every request by tomcat?
Advertisement
Answer
On Tomcat sessions are established lazily, when they are needed. There are basically a couple of situations where sessions are created:
- if you call
request.getSession()orrequest.getSession(true)a session is always established, - if you authenticate users against Tomcat’s user database a session might be created depending on the authentication method. Most notably if you use form authentication (see this tutorial) a session is always established,
- JSP pages create sessions unless you add the
<%page session="false"%>directive (see Why set a JSP page session = “false” directive?).
Browsers remember cookies, so the presence of a JSESSIONID is not an indication of the presence of a session (it might be there from a previous test). To test for a presence of a session use request.getSession(false). For example:
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
final boolean establishSession = req.getParameter("withSession") != null;
try (final PrintWriter writer = resp.getWriter()) {
final String requestedSessionId = req.getRequestedSessionId();
final HttpSession possibleSession = req.getSession(establishSession);
writer.append("I requested a session with id: ")//
.append(requestedSessionId)
.append("nI have a session with id: ")
.append(possibleSession != null ? possibleSession.getId() : null)
.println();
}
}
Edit: I added the case of a JSP page creating sessions.