JSESSIONID is generated by server (which contains servlet container) used for session management for web application because we allready know that HTTP protocal is sataless.
Many applications require a series of requests from a client to be associated with one another.Web-based applications are responsible for maintaining such state, called a session, because the HTTP protocol is stateless.
Java EE (or Web) developer should know, while browsing on a server, it keeps trace of some data about the browsing session in a server-side HttpSession object. For example an ecommerce web application needs to store somewhere the information about the shopping cart of non registered users.
How the server can associate the remote session data with the specific navigation session? This is done through a cookie (or via a GET parameter in the URL) that gives to the server the session ID value.
In Java EE applications, the cookie name to identify the sessions is JSESSIONID.
Condition where JSESSIONID created
JSESSIONID cookie is created/sent when session is created. Session is created when your code calls request.getSession() or request.getSession(true) for the first time. If you just want get session, but not create it if it doesn't exists, use request.getSession(false) -- this will return you a session or null. In this case, new session is not created, and JSESSIONID cookie is not sent. (This also means that session isn't necessarily created on first request... you and your code is in control when the session is created)
Sessions are per-context:
SRV.7.3 Session Scope
HttpSession objects must be scoped at the application (or servlet context) level. The underlying mechanism, such as the cookie used to establish the session, can be the same for different contexts, but the object referenced, including the attributes in that object, must never be shared between contexts by the container.
(Servlet 2.4 specification)
Update: Every call to JSP page implicitly creates new session if there is no session yet. This can be turned off by session='false' page directive, in which case session variable is not available on JSP page at all.
Many applications require a series of requests from a client to be associated with one another.Web-based applications are responsible for maintaining such state, called a session, because the HTTP protocol is stateless.
Java EE (or Web) developer should know, while browsing on a server, it keeps trace of some data about the browsing session in a server-side HttpSession object. For example an ecommerce web application needs to store somewhere the information about the shopping cart of non registered users.
How the server can associate the remote session data with the specific navigation session? This is done through a cookie (or via a GET parameter in the URL) that gives to the server the session ID value.
In Java EE applications, the cookie name to identify the sessions is JSESSIONID.
Condition where JSESSIONID created
JSESSIONID cookie is created/sent when session is created. Session is created when your code calls request.getSession() or request.getSession(true) for the first time. If you just want get session, but not create it if it doesn't exists, use request.getSession(false) -- this will return you a session or null. In this case, new session is not created, and JSESSIONID cookie is not sent. (This also means that session isn't necessarily created on first request... you and your code is in control when the session is created)
Sessions are per-context:
SRV.7.3 Session Scope
HttpSession objects must be scoped at the application (or servlet context) level. The underlying mechanism, such as the cookie used to establish the session, can be the same for different contexts, but the object referenced, including the attributes in that object, must never be shared between contexts by the container.
(Servlet 2.4 specification)
Update: Every call to JSP page implicitly creates new session if there is no session yet. This can be turned off by session='false' page directive, in which case session variable is not available on JSP page at all.
JSESSIONID and session management very popular J2EE interview question .Apart from What is JSESSIONID interviewer are also interested in below interview question
How do you avoid using jsessionid?- Is it possible to disable jsessionid in tomcat servlet?
- Under what conditions is a JSESSIONID created?
- how to refresh JSESSIONID cookie after login?
- How to monitor HTTP request to check JSESSIONID ?
No comments:
Post a Comment