struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Hill" <andrew.david.h...@gridnode.com>
Subject RE: Association between Session object and Cookies/URL rewriting
Date Thu, 06 Mar 2003 09:06:47 GMT
HttpSession is a seperate matter from authentication as far as the container
is concerned, in as much as session tracking operates to associate requests
with a particular client. The way it does this is by allocated a session
id - which the client submits with each request.

There are two ways that this id can be submitted.
The first (and I believe the default) is to make use of cookies. If the
container is giving the client a session and the client has cookies enabled,
the container will return to the client a cookie that contains the session
id, and the client borwser submits this with its requests allowing the
container to identify which session the request belongs to. This mechanism
works almost transparently both to the user and the developer.

The second way - url rewriting - operates when cookies are disabled on the
client (and it is considered best practise to allow for this possibility as
a lot of users are getting paranoid about cookies these days). This involves
all links that are displayed in the browser including the session id as part
of the url - so you will see urls of the form:
http://www.mystery-machine.com/shaggy/scooby.do;jsessionid=4878D95252DE47FDC
39E69070F49F397

Obviously for the links to contain the session id the developer has to do a
bit more work - basically requiring all links to pages/actions participating
in that session to be 'rewritten'. The struts <html:link> tag will do this
for any links you render with it automatically, - I presume the <html:form>
tag will also do it for its action (I dont use jsp so arent entirely sure
but it would seem logical).

If you need to do it yourself somewhere the servlet apis HttpServletResponse
also supplies an encodeUrl() method that when passed a string containing a
plain url will add the session id if necessary and return the encoded url
string to you.


-----Original Message-----
From: Heligon Sandra [mailto:sandra.heligon@thomson.net]
Sent: Thursday, 6 March 2003 16:41
To: 'Struts Users Mailing List'
Subject: RE: Association between Session object and Cookies/URL
rewriting
Importance: High


Tomcat is responsible of the cookie creation but it is
the Struts Action Servlet that is responsible of the
session (HttpSession initialization) isn't it ?
A few months ago I had had a discussion with Craig and it had indicated
to me that a session was initialized in several cases:

* The controller servlet will create a session for you, if you
  declare that your form bean is in session scope.

* The controller servlet will create a session for you, if you
  configured the automatic locale recognition mechanism (the "locale"
  servlet initialization parameter for 1.0, or the corresponding
  attribute on the <controller> element for 1.1).

* Your application Action can create a session if it needs to, by
  calling request.getSession().

* Actions will create a session for you automatically if you use
  transaction tokens, or the getLocale()/setLocale() methods.

* JSP pages will create a session for you automatically unless you
  explicitly tell them not to (<%@ page ... session="false" ... %>).

* The <html:html> tag will create a session for you automatically
  if you use locale="true".

* The <html:form> tag will create a session for you automatically
  if your form bean is in request scope, or if you are using
  transaction tokens.

I don't understand how the controller distinguish a client X from a
client Y ? what parameter/information allow to identify a client ?
As I said yesterday in my application two clients have not the same
authentication information (userLogin and password).

If a client X enter the URL http::\\localhost:8080\MyAppli, when the
home page is displayed if the form is in the session an HttpSession is
created isn't it ? but the client has not yet given his userLogin and
password.

If a new browser is open on the same PC with the URL of the application
is a new HttpSession is created ?
Normally a new session must be created only if login information is
different
from the first client's browser. But on the Home page we do not have to
carry out
the Login action yet.

Do you understand my question ?

-----------------------------------------------------------
As of February 12, 2003 Thomson unifies its email addresses on a worldwide
basis.Please note my new email address: sandra.heligon@thomson.net

Thomson is the leader in solutions and technologies for the entertainment
and media industries and serves its customers under its four strategic
brands: Technicolor, Grass Valley, RCA and THOMSON.
More about Thomson: http://www.thomson.net/videochain

----Original Message-----
From: Nicolas De Loof [mailto:nicolas.deloof@cgey.com]
Sent: 05 March 2003 14:53
To: Struts Users Mailing List
Subject: Re: Association between Session object and Cookies/URL
rewriting


Struts doesn't create coockies, J2EE servlet container does (tomcat).
When you use "request.getSession()" in your code, J2EE server will a
coockie (or a request parameter if URL rewriting is used, see your
server config) to get the session ID.

If no ID is set, it will generate a new session ID and add a
"set-coockie" HTTP header in response.

New request from user browser will come to the server with a
"SESSIONID" coockie header, and request.getSession() implementation
will be able to find the session object from ID.

Read J2EE or Tomcat documentation to get more infos on sessions
(sessionid coockie, URL rewriting ...).

Nico.

>
> I don't understand very well how Struts manages session objects
> and why a sessionID is fixed for a user ?
> Session objects are stored on the web server (Tomcat in my case) and
> cookie saved on the disk allows to retrieve the HttpSession
> associated to
> a user.
> But I don't understand how the cookie is created and why is it
> associated
> to a client ?
> How Struts creates the session cookie ?
> I read that the cookie object is created when a user first loads a
> web page that
> is a part of the application.
> But at this stage what distinguishes a user X from a user Y ?
> In my application I distinguish two users with authentication
> information but when the first page is displayed the authentication
is not
> done.
> How Struts know that it is a new user and that it has to create a
> new HtppSession and a new cookie?
> Is a user (and so a cookie) associated to a user NT account ?
> I am not certain to have been rather clear
> Thanks in advance for your help.
> Sandra
>
>
>
>
> -----------------------------------------------------------
> As of February 12, 2003 Thomson unifies its email addresses on a
worldwide
> basis.Please note my new email address: sandra.heligon@thomson.net
>
> Thomson is the leader in solutions and technologies for the
entertainment
> and media industries and serves its customers under its four
strategic
> brands: Technicolor, Grass Valley, RCA and THOMSON.
> More about Thomson: http://www.thomson.net/videochain
>
>
> --------------------------------------------------------------------
-
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org


Mime
View raw message