14

I am currently running an application with the following properties:

  • Java-based with Spring and Acegi
  • Running on Tomcat 5

I need the ability to support user sessions without cookies. Could someone please point me in the right direction.

Thank you.

Zakir Hemraj
  • 949
  • 3
  • 12
  • 18
  • 1
    Shouldn't this work out of the box on Tomcat? The servlet container should set a request parameter JSESSIONID on the first use of the session, and if the client doesn't send back a response signalling that it accepts cookies, the container is supposed to contiue to use this parameter ... I think. – matt b Jan 12 '09 at 19:56

5 Answers5

22

The complete answer to this question is a combination of all your responses, so I'm going to summarize:

  1. There is no need to set cookies="false" in the context.xml file. The ideal functionality is for tomcat to use it's url-based session identification, which will be used by default if cookies are not supported by the user.

  2. When a user doesn't have cookies enabled, tomcat will identify the session by the "JSESSIONID" parameter from the url of the request. A couple sample urls are as follows http://www.myurl.com;jsessionid=123456AFGT3 http://www.myurl.com;jsessionid=123456AFGT3?param1=value&param2=value2 Notice how the session id is not part of the url query string (this is a j2ee standard)

  3. In order to ensure the jsessionid parameter gets appended to all your request URLs, you can't have plain url references. For example, in JSTL, you have to use < c:url>. The servlet engine will then automatically append the jsessionid to the url if it is necessary. Here's an example:

    <%--this is bad:--%> < a href="page.html">link< / a>

    <%--this is good:--%> < a href="< c:url value='page.html'/>">link< / a>

Zakir Hemraj
  • 949
  • 3
  • 12
  • 18
5

See http://tomcat.apache.org/tomcat-5.5-doc/config/context.html.

In a file META-INF/context.xml,

<?xml version='1.0' encoding='UTF-8'?>
<Context path='/myApplicationContext' cookies='false'>
  <!-- other settings -->
</Context>
Loki
  • 29,950
  • 9
  • 48
  • 62
  • 1
    This seems to append JSESSIONID to the url on the first request to the application. But, how do I ensure that it gets appended to subsequent requests? – Zakir Hemraj Jan 13 '09 at 17:01
0

Best way is to use URL rewriting . So, when you use request.getSession() ,the container will send "Set-Cookie" header for session-id in HTTP-response as well as session-id appended to URL (but you must use response.encodeURL(session_info) for url rewriting).

public void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException  {
    resp.setContentType("text/html");
    PrintWriter pw=resp.getWriter();
    HttpSession session=req.getSession();
    pw.println("<html><body>");
    pw.println("<a href=\""+resp.encodeURL("/session_info")+"\">Click</a>");
    pw.println("</body></html>");

}
Prateek Joshi
  • 3,929
  • 3
  • 41
  • 51
0

You could track by IP address, but proxy servers (and NAT?) could mess you up.

You could force all URLs to have the session as a parameter, and all forms as a hidden field. Maybe a custom tag for generating URLs could help here, but I've not done much work with taglibs.

You will need to consider security - people might email links to someone else with the session id in it, so you will want to have an IP address check for each access to check that the address matches the session.

JeeBee
  • 17,476
  • 5
  • 50
  • 60
  • I'd recommend never tracking by IP address because of VPNs. This answer is old, so I won't downvote but I strongly advise against this for future answer lookers. – abeauchamp Mar 11 '16 at 00:27
0

As matt b commented this should work out of the box (tomcat will try cookies, and if that fails fall back on encoding the session in the url). However, this will not work if you create a 'plain' link yourself - always use a method like JSTL's so tomcat can add the tracking parameter to all urls.

Simon Groenewolt
  • 10,607
  • 1
  • 36
  • 64