Tom this is 100% correct "there is no way to even instantiate a session
object from a self-supplied session-id let alone replace the current
session object in the HttpRequest." but I am still a little curious as
to why Tomcats generated session id is not adequate, is it purely
because you can't get at it early enough?
Yes, the session id itself is adequate, I don't want to change that at
all, nor do I want to change the session manager.
What I want to change is how the session id is communicated to the
client and back. Basically, I want to change the object that retrieves
the session ID from the HTTP request and feeds it to the session
manager. (storing the session id in an additional header in the response
is no problem)
The problem with both cookies and session id's in the URL is that we
develop applications for use on cellphones. Cell network operators are a
bunch of not-so-nice-people who sometimes feel the need to screw up HTTP
traffic in their gateways, e.g. by messing with cookies and session ids.
There is no guarantee that the cookies that arrive on the handset are
the same as the ones that have been sent out from our servers. Sometimes
cookies go missing, standard HTTP headers are mutilated, etc.
Our experience is that the custom X-headers are left alone, so we want
to use a custom header to send and retrieve the session ID.
After reading a little, Tomcat 5x onwards comes with session replication
capabilities, which means there is some code which you can reference and
write a valve that intercepts the request as soon as a new session is
created and before its sent back to the user in the response, an example
of this being the ReplicationValve which ships with Tomcat. ||You can
then persist it in a database or do whatever you want with it.
I've looked at the Tomcat API doc's and it seems to me the
sessionmanager itself is not responsible for retrieving the session id,
the session id is fed to it by someone else. (See 'findSession' in
ManagerBase). Also, sending the session id back to the client is not the
problem I can use a filter to do that. The problem is that if the client
sends the session ID to the server in a custom header, Tomcat needs to
pick up that session id and use that when calling findSession. So who is
calling findSession and is it something I can easily replace ?
Furthermore, as an additional difficulty, we only use sessions in a
subset of our applications, so it would be preferrable if this is
something we can enable on a per-application basis.
I hope this clarifies what I'm trying to do.
Sincerely,
Tom
--
**Tom van Wietmarschen**
Software Engineer
Service2Media B.V.
Vreelandseweg 7
1216 CG Hilversum
Capitool 41
7521 PL Enschede
Tel +31 (0)35 626 46 12
Fax +31 (0)35 626 46 13
www.service2media.com <http://www.service2media.com>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
