0

The HttpServletResponse#encodeRedirectURL adds the JSESSIONID (url-rewriting) for a redirect request.
I was wondering, this only makes sense if we redirect to another servlet within our web application, right?
Otherwise if we redirect to another server, how can the JSESSIONID we created in our server be of any use (meaningfull) to the other server?

Cratylus
  • 52,998
  • 69
  • 209
  • 339
  • I think you meant "this only makes sense if we redirect to **the same server**", regardlesss of the servlet. – Frank Pavageau Feb 16 '13 at 12:44
  • @FrankPavageau:Why?Is session "shared" among web applications? – Cratylus Feb 16 '13 at 12:46
  • 1
    @Cratylus: no, it's not. But a webapp can be clustered among several servers, which thus all share the same sessions. So what matters is the webapp, and not the server. – JB Nizet Feb 16 '13 at 12:48
  • As JB said, not between webapps (you didn't mention it), but between servlets, certainly, and it's quite common to have several (the JSP servlet, the static-file-serving servlet, a framework servlet, etc.). – Frank Pavageau Feb 16 '13 at 13:03

3 Answers3

2

You're right. The session ID is only meaningful for a given webapp. That's why the javadoc says:

Encodes the specified URL for use in the sendRedirect method or, if encoding is not needed, returns the URL unchanged. The implementation of this method includes the logic to determine whether the session ID needs to be encoded in the URL.

(emphasis mine)

JB Nizet
  • 678,734
  • 91
  • 1,224
  • 1,255
  • So we use this method only to redirect *within* our web applications?Do you know a common use case for this? – Cratylus Feb 16 '13 at 12:40
  • 1
    The [post-redirect-get pattern](http://en.wikipedia.org/wiki/Post/Redirect/Get) is the main use-case. – JB Nizet Feb 16 '13 at 12:42
1

Say you have a cluster: several servers with the same set of applications deployed consistently (even a single application).

The JSESSIONID (be it in a cookie or encoded in the URL) set by one server can be useful to another server in that cluster if session clustering is enabled, so the same application on the other server can answer the user's request using her session data initially stored on the first server, or even complementing that same session data.

It's usually better to redirect to the same server as long as it's up, for data-locality, to limit the chatter in the cluster.

See

Frank Pavageau
  • 11,477
  • 1
  • 43
  • 53
  • I think this answer is incomplete after reading the comments of @JBNizet.I think it should be phrased:`The JSESSIONID (be it in a cookie or encoded in the URL) can be useful to another server in a clustered environment for redirection to a specific web application`.What do you think? – Cratylus Feb 16 '13 at 14:21
  • It's not a question of redirection. Session clustering allows a stateful application to be highly-available, as any request (redirection or not) will be answerable by any server in the cluster (that has the same application deployed of course). If one of the servers goes down, its users are not left sessionless. – Frank Pavageau Feb 16 '13 at 14:31
  • Yes this what I mean.This part of your last comment:`cluster (that has the same application deployed of course)` I think is needed in your answer. – Cratylus Feb 16 '13 at 14:33
  • Cluster in that context usually means a set of servers with the same applications deployed consistently, but I can add that bit in the answer, sure. – Frank Pavageau Feb 16 '13 at 14:37
  • I meant that the reuse of session within the cluster is aimed for the **same** application. – Cratylus Feb 16 '13 at 14:50
0

In a Java EE the application container is responsible for session management and by default uses cookies.

This link Under what conditions is a JSESSIONID created? has a detailed explanation about the JSESSIONID and how it's created.

Refer also to this post http://javarevisited.blogspot.in/2012/08/what-is-jsessionid-in-j2ee-web.html

Community
  • 1
  • 1
arvin_codeHunk
  • 2,328
  • 8
  • 32
  • 47
  • How is this relevant to my question? – Cratylus Feb 16 '13 at 12:37
  • how can the JSESSIONID we created in our server be of any use to the other server? ,this what is explained in the post, try to read it instead asking – arvin_codeHunk Feb 16 '13 at 12:45
  • My question is about the specific API.And the statement `how can the JSESSIONID we created in our server be of any use to the other server?` is part of my assumptions in my OP.Please read the questions before answering – Cratylus Feb 16 '13 at 12:48