Re: session tracking problem

Craig R. McClanahan Thu, 6 May 1999 07:43:06 -0700
Michael Stacey wrote:

> Though this may seem inappropriate for this group, I only run into
> problems with Apache/JServ, so I thought that maybe someone here has
> solved this problem...
>
> I'm trying to use session tracking as illustrated in Hunter's
> _Java Servlet Programming_ book from OReilly, and it doesn't seem
> to work under my new Apache/JServ installation on NT.

>
> Here is a sample protected servlet:
> -----------------------------------------------------------------------------
> public class ProtectedServlet extends HttpServlet {
>     public void doGet(HttpServletRequest req,
>                       HttpServletResponse res)
>         throws ServletException, IOException {
>
>         res.setContentType("text/plain");
>         PrintWriter out = res.getWriter();
>
>         HttpSession session = req.getSession(false);
>         if ( session == null ) {
>             log("creating session");
>             session = req.getSession(true);
>         }
>
>         Object done = session.getValue("login.isDone");
>
>         if ( done == null ) {
>
>             log("storing target: " + HttpUtils.getRequestURL(req).toString());
>             session.putValue("login.target",
>                               HttpUtils.getRequestURL(req).toString());
>
>             String stored = (String)session.getValue("login.target");
>
>             log("stored: " + stored);
>
>             res.sendRedirect(req.getScheme() + "://"
>                              + req.getServerName() + ":"
>                              + req.getServerPort() + "/login.html");
>             return;
>         }
>
>         out.println("secret stuff");
>     }
> }
>

You should call res.encodeRedirectUrl() around the argument to the sendRedirect() (in 
every place you use
it) to ensure that a URL version of the session ID gets included.  If this is the 
first interaction with
a particular session, the servlet engine does not yet know if the user's browser 
supports cookies, so it
needs to send the session ID both ways.  The next request from the client will either 
include or not
include the cookie, but it will always have the URL version -- which will be turned 
off on any future
requests for this session if the cookie was in fact present.

[Snipped remainder of the example]

Craig McClanahan




----------------------------------------------------------------
To subscribe:        [EMAIL PROTECTED]
To unsubscribe:      [EMAIL PROTECTED]
READ THE FAQ!!!!     <http://java.apache.org/faq/>
Archives and Other:  <http://java.apache.org/main/mail.html/>
Problems?:           [EMAIL PROTECTED]
Re: session tracking problem

Reply via email to
