Re: How does Session object resolve user identity?

[Gokul Singh]

Sorry! There is a typo in the previous mail. It should have been javax.servlet.http.HttpServletResponse.encodeURL() instead of javax.servlet.http.HttpServletRequest.encodeURL() regds, Gokul ----- Original Message ----- From: "Gokul Singh" <[EMAIL PROTECTED]> To: "A mailing list for discussion about Sun Microsystem's Java Servlet API Technology." <[EMAIL PROTECTED]> Sent: Thursday, November 23, 2000 1:47 AM Subject: Re: [SERVLET-INTEREST] How does Session object resolve user identity? > > How does the session know which user is accessing it? Does it resolves the > > user identity by IP address or cookie or IP address plus port number ... > > etc? > > It is not based on IP address or Port no. or any combination there of. > > The server generates a session and an associated unique session id and sends > this session id to the client. The client then sends to the server this > session id on each subsequent request it makes to the server. The server > recognises the client based on this session id. > > Now there are different ways for the passing of the session id from the > server to the client and back. > > The first one is a cookie.The id is passed to and fro as a cookie. > > The second method is to put the session id as a part of the url. So any url > that you leads to your site has the session id as part of the url. This can > be achieved by using the method > javax.servlet.http.HttpServletRequest.encodeURL(). More details on this > method are given in the API docs. > > The third method is to use hidden variables in your html. Although in > version 2.2 and beyond you can not retrieve a session based on the ID, you > can build your own framework to wrap around the servlets session retrival to > do that. > > > > The problem is in mobile phones in Japan, cookie is not allowed. Also, > there > > is usually a gateway hiding the server, so all user will have same IP > > address ( but they will have different port number) and if session resol ve > > by IP address only, then users will have access to other users session > > object. > > I think it is answered above. > > > > > > Anthony Mak > > > > Regds, > Gokul > ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html