Re: Cross Context Session Creation-
On 08/01/2010 07:18, Arnab Ghosh wrote: I found that session created in A and B are different and invisible to each other. But the session ID is same. I want to know is there any chance of overriding existing session in context B?? Is it a mere coincidence or is there any logic behind this same session Id scenario?? It is by design. If a session cookie is received but the session does not exist a new session is created using the ID from the cookie. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Cross Context Session Creation-
Dear Friends, In that case - suppose a session with a *D52869941C38BC234**CD9A940429C403A * Id is already present in context B (forwarded from context C ). Now a new request with same jsessionID came to context A . Then context A forwarded the request to context B .then will it override the existing session Id. (I don't know whether it is possible or not). I don't know whether two differenet session belongs to two different context can have a same sessionId or not?? I have another question -- If I comment the method - request.getsession(true) , in that case will there be any session?? Thanks, Ghosh On Fri, Jan 8, 2010 at 2:55 PM, Mark Thomas ma...@apache.org wrote: On 08/01/2010 07:18, Arnab Ghosh wrote: I found that session created in A and B are different and invisible to each other. But the session ID is same. I want to know is there any chance of overriding existing session in context B?? Is it a mere coincidence or is there any logic behind this same session Id scenario?? It is by design. If a session cookie is received but the session does not exist a new session is created using the ID from the cookie. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Cross Context Session Creation-
On 08/01/2010 09:44, Arnab Ghosh wrote: Dear Friends, In that case - suppose a session with a *D52869941C38BC234**CD9A940429C403A * Id is already present in context B (forwarded from context C ). Now a new request with same jsessionID came to context A . Then context A forwarded the request to context B .then will it override the existing session Id. Nope, both requests would use the same session in context B. The chances of this happening are slim to non-existant. Session IDs are generated randomly. I have another question -- If I comment the method - request.getsession(true) , in that case will there be any session?? It depends on a number of factors. Simplest way to find out is to try it. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Cross Context Session Creation-
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Arnab, On 1/8/2010 5:34 AM, Arnab Ghosh wrote: Can I disable the session creation in context A and C? Sure: make sure all your JSPs have session=false in their headers, and make sure that you call request.getSession(false) and check for NULL every time. If you want to enforce a no-session policy, you could write a filter/valve that wraps the request and throws an exception instead of creating a session (i.e. when request.getSession(true) is called, or if getSession() is called and no session already exists). Because in context B , a request forwarded from context A should not share with a session with a request forwarded from context C in any condition. This is my requirement. How can I achieve that?? So, you forward like this: A - B, session id from A can be used to create a session in B C - B, session id from C cannot be used to create a session in B If that's the case, and B needs a session, then what? Or I can have a unique session Id generator. Id will be unique in all context. Is it possible? If the sessions are not being shared, who cares if they have the same id? Are you overlapping URI spaces? Don't do that. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktHrDwACgkQ9CaO5/Lv0PD6mgCdHprBh+dhH/3jSRmd84BzGeBc hRIAmwZ77zharfv2+VySOc/g166Bfnmo =7sLr -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Cross Context Session Creation-
From: Arnab Ghosh [mailto:gh...@glenwoodsystems.com] Subject: Cross Context Session Creation- Now I want to know while forwarding a request from A to D , whether session will go from A to D or a new session will be created under D. To quote from 7.3 of the servlet spec (which you should read): HttpSession objects must be scoped at the application (or servlet context) level. The underlying mechanism, such as the cookie used to establish the session, can be the same for different contexts, but the object referenced, including the attributes in that object, must never be shared between contexts by the container. To illustrate this requirement with an example: if a servlet uses the RequestDispatcher to call a servlet in another Web application, any sessions created for and visible to the servlet being called must be different from those visible to the calling servlet. Also I want to know how many active session I can create under a web application/context in tomcat?? Whatever your heap size allows. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Cross Context Session Creation-
Dear Friends, *To quote from 7.3 of the servlet spec (which you should read): HttpSession objects must be scoped at the application (or servlet context) level. The underlying mechanism, such as the cookie used to establish the session, can be the same for different contexts, but the object referenced, including the attributes in that object, must never be shared between contexts by the container. To illustrate this requirement with an example: if a servlet uses the RequestDispatcher to call a servlet in another Web application, any sessions created for and visible to the servlet being called must be different from those visible to the calling servlet. * Actually I have an doubt . I ran a test cycle. I cleared all cookies and then I sent a request to context A then from there it will forward to context B. I have added session listener in both context. See the below result - I am in a servlet of *context A* Calling *request.getSession(true);* Session Created in A *D52869941C38BC234CD9A940429C403A* ( session listener in context A) Session ID*D52869941C38BC234CD9A940429C403A* Forwarding to another servlet *of context B* session Created in B-*D52869941C38BC234CD9A940429C403A* ( session listener in context B) Request Forwarded I found that session created in A and B are different and invisible to each other. But the session ID is same. I want to know is there any chance of overriding existing session in context B?? Is it a mere coincidence or is there any logic behind this same session Id scenario?? Thanks, Ghosh On Thu, Jan 7, 2010 at 11:50 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Arnab Ghosh [mailto:gh...@glenwoodsystems.com] Subject: Cross Context Session Creation- Now I want to know while forwarding a request from A to D , whether session will go from A to D or a new session will be created under D. To quote from 7.3 of the servlet spec (which you should read): HttpSession objects must be scoped at the application (or servlet context) level. The underlying mechanism, such as the cookie used to establish the session, can be the same for different contexts, but the object referenced, including the attributes in that object, must never be shared between contexts by the container. To illustrate this requirement with an example: if a servlet uses the RequestDispatcher to call a servlet in another Web application, any sessions created for and visible to the servlet being called must be different from those visible to the calling servlet. Also I want to know how many active session I can create under a web application/context in tomcat?? Whatever your heap size allows. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org