Unable to maintain session while posting from one servlet to another

Question

I'm trying to archieve the following:

1) end user will post to a servlet(lets call it GW) - the GW will store his session for the following requests to come.

2) for every request received by the GW , The GW will post to another servlet(will call it API)

3) only the GW can post to the API (SSL secured), and both will have a fixed IP(though it has nothing to do with this issue)

4) for every request posted to the API, the API must also maintain a session for future requests.

5) GW is posting to API using the following implemetation:

try {
    HttpPost httppost = new HttpPost(uri);
    CookieStore cookieStore = new BasicCookieStore();
    HttpContext httpContext = new BasicHttpContext();
    httpContext.setAttribute(ClientContext.COOKIE_STORE, cookieStore);

    HttpResponse response = httpclient.execute(httppost, httpContext);

} finally {
    httpclient.getConnectionManager().shutdown();
}

6) API will receive requests as follows:

public void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    HttpSession session = req.getSession(false);
    // isSessionValidFromURL = req.isRequestedSessionIdFromURL();
    // isSessionValidFromCookie = req.isRequestedSessionIdFromCookie();
    isSessionValid = req.isRequestedSessionIdValid();
    if (isSessionValid) {
        ...
        ...
    }
...
}

7) in API, if the request is a new request it will create a new session, will store parameters in DB and build the globals and more..

The problem is: after login (GW sends login to API) command sent,the API create new session so far so good. On the second command it fails to validate the session on the following lines of code:

isSessionValid = req.isRequestedSessionIdValid();
isSessionValidFromURL = req.isRequestedSessionIdFromURL();
isSessionValidFromCookie = req.isRequestedSessionIdFromCookie();

all returns false. I tried to send the session id using a cookie mechanism as shown above, and tried sending the received session id from the url without a success.

In addition,I've tried this and this without success. Thanx

EDIT : Solution: This wonderful Post passes it via url (Its SSL so its won't be a security breach)

If the another server is a part of the same application use HTTP forwarding or redirecting (for your choice). This will be done within the same session. — AlexR, Dec 31 '12 at 09:32

score 1 · Accepted Answer · answered Jan 02 '13 at 13:41

One solution for this issue is:

...
...
httpclient.setHttpRequestRetryHandler(myRetryHandler);

uri = AppInit.fieldProxyURI + ";jsessionid=" + sessionInfo.getAttribute(GatewayConstants.PROXYSESSIONID);
HttpPost httppost = new HttpPost(uri);
nvps =(List<NameValuePair>) sessionInfo.getAttribute(GatewayConstants.PROXY_QUERY_PARAMS);
httppost.setEntity(new UrlEncodedFormEntity(nvps, Consts.UTF_8));
ProxyPoster thread = new ProxyPoster(httpclient,httppost,sessionInfo,localContext);
thread.start();
thread.join();

} finally {
// leave the connection resource open
}

static class ProxyPoster extends Thread {
    //fields here..

    // constructor here...

@Override
public void run() {
    try {
        HttpResponse response = httpClient.execute(httppost, context);
        // proccess response
    } catch (Exception e) {
        httppost.abort();
    }
}

This way the session maintained, keeping the httpclient connection open and posting the received session id via URL. Hope this will help others...

score 0 · Answer 2 · answered Dec 31 '12 at 14:41

0

Better to go with HTTP forwarding as it is server forward, hence request data will be carry forward to next action.

While in redirect it will make server trip and request data will be lost.

answered Dec 31 '12 at 14:41

Manoj Kathiriya

3,366
5
19
19

thanks for your answer! I've decided to pass the session ID manually in post uri eventually. – Yaniv Jan 02 '13 at 14:01

Unable to maintain session while posting from one servlet to another

2 Answers2