struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Max Cooper" <>
Subject Re: Association between Session object and Cookies/URL rewriting
Date Thu, 06 Mar 2003 11:10:43 GMT
Session IDs identify sessions, not users.

A session is using a browser to access a server from a particular machine.
It doesn't matter if you login or not, sessions are meant just to associate
a group of requests as coming from one (or more) person sitting at a
computer using a browser. HTTP is a stateless protocol, meaning the protocol
does not have any built-in way for the server to recognize that several
requests are coming from the same session. By using a session cookie (or URL
rewriting), the server can track which requests should be associated with a
particular session, because all of those requests will include the session

Here's a little dialog to illustrate:

Ms. Browser (a browser): Hello Mr. Forgetful, please send me the search

Mr. Forgetful (the server): Welcome, please excuse me not remembering who
you are or even if this is your first request or not, but it is not in my
protocol to do so. So that I may handle your requests with the highest level
of service in the future, please include this SessionID cookie that I am
including in your response with your requests. It will help me identify you
in the future and perhaps remember your preferences.

Ms. Browser: I take no offense to you not remembering me, even though I was
just here earlier in the day. I realize it is not in your protocol to do so,
and I do appreciate your efforts with the SessionID cookie. I will be sure
to include it with all my requests. Please perform a search with the
keywords "tattoo parlor".

Mr. Forgetful: A search for "tattoo parlor", eh? I still don't know your
name, but I see that you have visited recently; thank you for including the
SessionID cookie with your request. Here are your search results. I have
included 10 hits per page, as it is the default.

Ms. Browser: Thank you, Mr. Forgetful. Can you please run the search for
"tattoo parlors" again and include 25 hits per page this time?

Mr. Forgetful: A search for "tattoo parlor" with 25 hits per page is coming
your way. I will remember your preference for 25 hits so that I may format
any future searches with the same preference. Thank you for including your
SessionID cookie with your request, and please be sure to include it with
any future requests so that I may apply your preferences.

Ms. Browser: Oh, I see a hit that I would like to view. Please send me
information on Sick Dogs Tattoo Parlor.

Mr. Forgetful: Whoa! That information requires that you identify yourself
before viewing, and I don't have any user information associated with the
SessionID cookie that you sent with your request. Please request the login
form so that I may verify your access. I will remember the page you were
trying to view based on your SessionID for your convenience.

Ms. Browser: You must be sending me on some kind of wild goose chase, Mr.
Forgetful! Please send me the login form.

Mr. Forgetful: Here is the login form, as requested.

Ms. Browser: Okay, my username is 'PaintedLady' and my password is

Mr. Forgetful: Oh hello, PaintedLady! I have associated your user
information with the SessionID cookie that you included with your request.
Please make a new request the Sick Dogs Tattoo Parlor information page

Ms. Broswer: I hope this is the end of this goose chase, Mr. Forgetful!
Please send me the information page on Sick Dogs Tattoo Parlor, please.

Mr. Forgetful: Whoa! Oh nevermind, I see that it is just you, PaintedLady,
based on the user information associated with your SessionID, and I see that
you have sufficient rights for me to process your request. Here is the page
you requested.

Ms. Browser: Thank you, Mr. Forgetful. They have a picture of one of the
tattoos on my back, and I am beginning to think that one was a mistake. I'm
going to back up a bit here. Please do a search for "tattoo removal

Mr. Forgetful: Okay, here are the results for the "tattoo removal service"
search, and based on the preferences I have associated with your SessionID,
I have included 25 hits per page.

Okay, it's kind of a silly dialog. But that is how the SessionID cookie
works, and how it interplays with authentication. Note that the user
information is not directly available in the HttpSession in most cases, but
the server associates both with the SessionID behind the scenes, and your
apps can access it through request.getUserPrinicpal() and
request.getRemoteUser(), request.isUserInRole(), etc. The lifecycle of this
authentication information is the same as that of the HttpSession, since the
server uses the SessionID cookie to identify both pieces of information.
Servers often use a combination of the IP address your requests come from
and perhaps other information along with the SessionID cookie value to
enhance security. The name of the 'SessionID' cookie here is simply an
illustration -- the real name of the cookie depends on your server, but the
usage is as described.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message