tomcat-taglibs-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Fereira <>
Subject Re: Retrieve a session attribute
Date Thu, 14 Apr 2005 19:53:22 GMT
At 11:46 AM 4/14/2005 -0700, you wrote:

>--- Martin Cooper <> wrote:
> >
> > In a servlet, a session will be created on a call to
> > getSession() or
> > getSession(true) if one did not already exist. In a
> > JSP, if a session
> > does not exist and the page has session="true", one
> > will be created.
> >
> > --
>I thought a JSP would share the same session within
>the servlet if a session already exists in the
>container. JSP is eventually translated into servlet
>code, doesn't it?
>I insert the log message code in the servlet before
>getting to the JSP and find that a session already
>exists at the point.

I'm not sure what you mean by "inserting the log message code" but the 
question really is how/when the session is getting created.

As mentioned above, a call to HttpSession.getSession(true) will get a 
session and create one if it does not exist.  There are numerous other 
methods in the HttpSession class for interrogating and managing the object 
(including an invalidate method).

I also have an web application in which the servlets never attempt to 
get/create a session yet I discovered (using the Tomcat Manager 
application) that there were numerous sessions associated with the 
context.  The application used several jsps which include a Page directive 
and since the session attribute defaults to true it appears that the JSP 
pages were responsible for creating a session even though I never attempt 
to access anything in the session scope (I've since set session="false" on 
all jsps in that context).

A couple of other things worth noting...

If you're using Tomcat, in the context configuration there is a Manager 
component which represents the session manager. If the element is not 
included a default Manager configuration will be created and used.  One of 
the attributes is "saveOnRestart" and is true by default. That means if you 
create a session either in a servlet or a jsp that the session information 
will be persisted and reloaded when Tomcat is restarted.  That can cause 
all kinds of nightmares if session objects are not invalidated (i.e. you 
expect them to time out).  The next time a user starts the same browser on 
the same machine they might get a persisted session object even if you've 
restarted Tomcat. Be very careful about storing any sort of private 
information in the session if public access computers are in use.

I have also seen some odd behavior regarding the session-timeout element 
configurable in the context web.xml file.  I've seen instances where I've 
changed that element yet it appears that the sessions are still using a 
default value for session time outs.  Now, when I create a session in the 
servlet I specifcially set the time out using 
a  HttpSession.setMaxInactiveInterval() method.

>If a session in JSP is unrelated
>with a session in servlet, how these two share session

They can't.  Session information is scoped only to the current web 
application (ServletContext) and the servlet container creates *a* session 
between an HTTP Client and an HTTP Server.  In most cases, the HTTP Client 
will be a browser running through a unique port from a unique IP 
address.  That means:

If I am running a instance of Mozilla and an instance of IE on the same PC 
connecting to the same ServletContext I will get two sessions.  If I run 
Mozilla and open up two tabs, each connecting to the web application, at 
least it appears that they use the same session.  If several users start up 
separate instances of a browser (i.e. on a multiuser system) they'll each 
get unique sessions.  However, sessions persist across more than one 
connection or page request (for example, different servlets or jsp pages) 
so if a jsp includes a page directive with session="true" it will use the 
same session as all other servlets and jsps in the context.  If a jsp page 
uses the page directive with session="false" it won't have access objects 
in the session scope (though they may still exist).  In essense, the only 
reason you might want to use the session="false" attribute is if *all* of 
your jsps use the same value and you never create a session in a servlet.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message