0

If I have this code below in the doGet() where I create a session object:

protected void doPost(HttpServletRequest request,
            HttpServletResponse response) throws ServletException, IOException {

        // get request parameters for userID and password
        String user = request.getParameter("user");
        String pwd = request.getParameter("pwd");

        if(userID.equals(user) && password.equals(pwd)){
            HttpSession session = request.getSession();
            session.setAttribute("user", "Pankaj");
            //setting session to expiry in 30 mins
            session.setMaxInactiveInterval(30*60);
            Cookie userName = new Cookie("user", user);
            userName.setMaxAge(30*60);
            response.addCookie(userName);
            response.sendRedirect("LoginSuccess.jsp");
        }else{
            RequestDispatcher rd = getServletContext().getRequestDispatcher("/login.html");
            PrintWriter out= response.getWriter();
            out.println("<font color=red>Either user name or password is wrong.</font>");
            rd.include(request, response);
        }
    }

I have a couple questions:

  1. When I create the session object at HttpSession session = request.getSession(); is this when the session is created for the request for the first time or does the container already create the request when the request first comes in (before the call to getSession())
  2. When I call response.sendRedirect("LoginSuccess.jsp"); how is the session object available to access in LoginSuccess.jsp? I am able to session.getAttribute("user") in LoginSuccess.jsp but I am not sure how the session is passed to the LoginSuccess.jsp?
  3. Same goes for the cookie that is created Cookie userName = new Cookie("user", user);. In the LoginSuccess.jsp I am able to do cookie.getName().equals("user")). How is the cookie object passed to LoginSuccess.jsp? Is that because of response.addCookie(userName);?
  • 1. It [depends](http://stackoverflow.com/questions/595872/under-what-conditions-is-a-jsessionid-created). There is more than one way to call [`getSession(boolean)`](http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getSession(boolean)). 2. The session is controlled by a session id, typically stored as a cookie on the browser, and tied to persistent storage on the server. Typically, because the session id can also be encoded into URLs (to allow sessions for browsers where cookies are disabled) 3. Cookies are part of [HTTP](https://en.wikipedia.org/wiki/HTTP_cookie). – Elliott Frisch Feb 28 '17 at 23:03
  • For number 2 is the session that I created part of the application scope? Is that why I can access it in `LoginSuccess.jsp`? I didn't really get your answer for number 2. –  Feb 28 '17 at 23:12
  • 1
    There is only one session, it's controlled by the sessionId. You get the same sessionId in `LoginSuccess.jsp` (from [this answer](http://stackoverflow.com/a/598923/2970947), *Every call to JSP page implicitly creates a new session if there is no session yet. This can be turned off with the `session='false'` page directive, in which case session variable is not available on JSP page at all*). – Elliott Frisch Feb 28 '17 at 23:20
  • Oh ok. So on every call to the JSP the new session is created if there is no session yet. So underneath when the JSP is converted to a Java servlet, it would create the session variable which is why we have access to `session` variable in the jsp so we don't have to call request.getSession() in the jsp correct. –  Feb 28 '17 at 23:39
  • 1
    Well probably, the exact implementation used by a given JSP compiler isn't explicitly mandated (so there could be some container that implements it differently). What is mandated is that `session` is **one** of the nine [JSP Implicit Objects](https://www.tutorialspoint.com/jsp/jsp_implicit_objects.htm) (`request`, `response`, `out`, `session`, `application`, `config`, `pageContext`, `page`, `Exception`). – Elliott Frisch Feb 28 '17 at 23:55
  • Ok that makes sense thank you. But how about the cookie then? I know you said `cookies` is part of HTTP but in the servlet above after I do this: `response.addCookie(userName);` `response.sendRedirect("LoginSuccess.jsp");`. In the `LoginSuccess.jsp` the cookie object is then available. Can you expand on what you mean by "cookies is part of HTTP"? Since the cookie you would get from the request but you are adding the cookie to the response here and accessing it in the LoginSuccess.jsp. –  Mar 01 '17 at 03:13
  • 1
    I mean that cookies are specified by http (it's a web standard, not a java standard). You could click the [link](https://en.wikipedia.org/wiki/HTTP_cookie) provided. – Elliott Frisch Mar 01 '17 at 03:17

0 Answers0