2

Even for me it seems quite odd to raise this question, as it contradicts my initial understanding.

Problem

Tomcat creates jsessionid on the first request (request1) and sends response (response1-with JSessionID) to the client. And client sends the same via cookies to the server on the next request (request2-with JSessionID). Now server understands that this is on the same session and responds, but the response doesn't contain JSessionID(response2-without JSessionID).

So now the client doesn't get any JSessionID, so the next request from that client seems to be a new one for the server, so server creates another session, which is wrong.

Relative Posts

Attempted Solutions

Solution1

Add all cookies from the request to response - IT WORKS, but i think this is tomcat's job.

// Add cookies from request
Cookie[] cookies = req.getCookies();
if(cookies != null){
    for (int i = 0; i < cookies.length; i++) {
        resp.addCookie(cookies[i]);
    }
}

Solution2

Add JSessionID cookie from client from the time of session initiation till session destruction (no matter whether server sends the session id in the response or not) - But this is a workaround and can't be the solution because clients are out of control in real time situation.

Question - ?

It's clear that tomcat maintain's session based on JSessionID via cookies or URL Rewriting or Hidden form fields. I have no special case like disableing cookies. Now the questions are

  • Why my tomcat doesn't send JSessionID on the subsequent response?
  • If that's a normal behaviour how tomcat maintains session integrity?
  • Or is it client's responsibility to send JSessionId cookiee to server untill the cookiee expires?

Thanks for your time in helping me.. :)

Community
  • 1
  • 1
Vivek
  • 3,523
  • 2
  • 25
  • 41
  • I don't know about the Tomcat part, but yes, the client should send the cookie until: a) the cookie expires, b) the cookie's a session cookie and the user quits and restarts the browser, or c) the server deletes the cookie. However, like you, I'd expect Tomcat to set the cookie on every response (except things like logouts of course) if only to update the expiration time. – blm Oct 08 '15 at 07:28
  • Do you mean to say, the client should send all respective cookies stored to server, despite of server not returning it? – Vivek Oct 08 '15 at 09:28

0 Answers0