3

I am using tomcat as my webserver. I hit some url in IE and put some object in HttpSession for that request.

Now my questions:

  1. If I close the browser and and hit the url in new browser, will the object I earlier put in session will be available?

  2. If I don't close the browser and and hit the url in a new tab/window, will the object i earlier put in session will be available?

The HttpSession javadoc says the following:

Provides a way to identify a user across more than one page request or visit to a Web site and to store information about that user.

As per my understanding here term "user" means the "browser". As soon as we open a new browser, then Tomcat/any webserver treats it as a new user. Is this correct? Does Tomcat achieve it using cookies or rewriting URLs?

The javadoc also says:

Session information is scoped only to the current web application (ServletContext).

If that's is the case, any object we set in session should be visible to all user request even firing from different machines as there is servlet context per webserver. But this is true in case of application scope not in session scope. I did not get what it is trying to say here.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
M Sach
  • 33,416
  • 76
  • 221
  • 314
  • Related: http://stackoverflow.com/questions/3106452/java-servlet-instantiation-and-session-variables/3106909#3106909 – BalusC Dec 08 '11 at 18:53

2 Answers2

5

The session is indeed tied to a single browser, and all frames/tabs opened in this browser share the same session. If you exit the browser, you lose the session.

Session tracking is implemented using cookies, but can fall back to URL rewriting if cookies are not accepted by the browser. This, however, requires the developer to be scrupulous and to always use appropriate methods or tags in order to encode the URL of every link and action of the application.

What the last part means is that if you deploy two different webapps in the same servlet container, and the same user, with the same browser, uses both applications, he will have two different sessions: one for each webapp. The session of the first webapp is completely isolated from the session of the second one.

JB Nizet
  • 678,734
  • 91
  • 1,224
  • 1,255
  • Thanks JB Nizet. It brought a lot of clarity. One more question as you told that Session tracking is implemented using cookies. Then in this case when we close the first browser and open the second browser, old object in session should be available to second browser request too as cookies does not get deleted generally on close of browser? – M Sach Dec 08 '11 at 18:25
  • No. Session cookies are not persistent. They're kept ion memory, and are forgotten when the browser exits. – JB Nizet Dec 08 '11 at 18:31
  • Thanks a lot. one last question what if i dont close first browser and open a new browser too.Now will the old object in session put during first request be available to second browser request. – M Sach Dec 08 '11 at 18:37
  • A session is per browser. So the second browser will have a different session from the first one. – JB Nizet Dec 08 '11 at 19:01
1

I think this depends on the server implementation (session cookie or parameter in URL).

By default, Tomcat uses session-cookies, and falls backs on URL parameter if the user-agent refuses cookies.

So the behaviour changes, of course.

  • With cookies
    1. no
    2. yes
  • with URL
    1. no ; yes if full URL with &JSESSIONID copied
    2. no ; yes if full URL with &JSESSIONID copied
rds
  • 26,253
  • 19
  • 107
  • 134