RE: Session handling, do it yourself?

[Austin Mills]

Based on the limitations of various web services clients that we need to support (Flash, Flex, .NET, etc.), we’ve moved to allowing the session ID to be sent either via HTTP headers or SOAP headers – we use Tomcat and have handlers in the request chain to make it all look the same to the server and allow us to do our own session handling.  We had briefly discussed a scheme such as the one you describe, but it was going to make it harder for clients to abstract their session management away from the actually protocol calls, which is something they wanted to be able to do (that is, have a layer in the client that handled the SOAP communication and remembered the session ID and other session-specific information).   Jarmo, I didn’t follow your comment about needing a special WSDD at all clients – can you explain that?   --Austin   From: Clarence Dahlin [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 20, 2005 2:35 AM To: axis-user@ws.apache.org Subject: RE: Session handling, do it yourself?   I'm also considering the approach where I handle the sessions myself as parameters to the operations. I've been told that it would be more scalable and somewhat faster to let the soap toolkits handle sessions in soap headers. So far, I've been sceptical to this approach for the same reasons as you mention Jarmo. It would be great to hear what experienced Web Service developers say about this and what the most common approach is today. / Clarence -----Original Message----- From: Jarmo Doc [mailto:[EMAIL PROTECTED]] Sent: den 20 september 2005 00:26 To: axis-user@ws.apache.org Subject: Session handling, do it yourself? I've been investigating session handling and have almost convinced myself that for my particular situation I should just do it myself.  Each of my WS clients juggle multiple end-user sessions so the simple, default cookie solution doesn't work on its own (because the cookie identifies the WS client session, not an end-user session). I've looked into using SOAP headers but it just seems to be too complex -- I'd have to write server code, my clients would have to write code, plus we'd need special WSDD at both server (not too bad) and *all* clients (very undesirable).  Also, as far as I can tell, I couldn't use java2wsdl to generate the WSDL for session handling so it would have to be maintained manually. So all of this is leading me to the conclusion that I should just do it myself: have my login() operation return a string containing a session ID and then specify that as the 1st parameter on all subsequent session-based operations.  It's trivial code to write and the auto-generated WSDL is correct (and describes session handling to clients in a quite obvious fashion). Am I way off base here and missing something?  Thanks. _________________________________________________________________ Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/