Session management with Tomcat and cookies

Question

I am having a difficult time conceptualizing how Tomcat handles cookies and session management behind the scenes.

When or where does Tomcat issue cookies to manage an HttpSession? According to This question / answer, sessions are created from an initial call to getSession().

If I am running a Filter and call getSession(), does that automatically attach the necessary cookie (assuming I have configured web.xml to use cookies) to the ServletResponse? If not, how do I do so? I am not running any jsp's.

Answer 1

Java Servlets manage cookies and state transparently for you, under the hood. Tomcat is the web server that Java Servlets run inside of.

The way web servers manage cookies is they directly send them in the HTTP request, I'm not 100% sure of the protocol text, but I believe it is simply that Tomcat will send "SET COOKIE:..." in the actual HTTP that is sent to your browser.

The important thing to note here is that Tomcat and the java Servlet specification are coupled - Tomcat hosts Servlets, and provides interface implementations that wrap the basic aspects of HTTP communication : for example, here is its Cookie interface ---- http://tomcat.apache.org/tomcat-5.5-doc/servletapi/javax/servlet/http/Cookie.html.

In general, this shouldn't be your biggest concern when writing a web app, unless you are doing something fancy. The Servlet api is supposed to abstract this by giving you access to the Session API that allows you to set/get objects specific to the client your dealing with.