struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <Craig.McClana...@eng.sun.com>
Subject Re: session ids cont...
Date Thu, 01 Feb 2001 22:47:05 GMT
Peter Alfors wrote:

> I added the "noCookies" attribute and set it to "true".  However, the two
> instances of Netscape 4.7 still show that they are using the same session.
> I.E. 5.0 does display different session ID still.
>
> see notes below...
>
> "Craig R. McClanahan" wrote:
>
> > Peter Alfors wrote:
> >
> > > "Kramer, Gary" wrote:
> > >
> > > >
> > > >
> > > >
> > > > I had similiar problems.  You need to turn off the use of Cookies on
> > > > your server (in Tomcat this setting is in server.xml).   When the user
> > > > opens 2 browsers, they will always have different session ids in both
> > > > IE and Netscape since the first URL they will use will not have a
> > > > session id included.
> > > >
> > >
> > > How do I turn off the use of cookies in the server.xml?  I only see one
> > > location where cookies are mentioned.
> > >         <!-- Request processing -->
> > >         <!-- Session interceptor will extract the session id from
> > > cookies and
> > >              deal with URL rewriting ( by fixing the URL )
> > >           -->
> > >         <RequestInterceptor
> > >             className="org.apache.tomcat.request.SessionInterceptor" />
> > >
> > > Do I comment out this section?
> > >
> >
> > For Tomcat 3.2.1 there is a noCookies attribute on this entry that defaults
> > to "false".  You need to set it to "true":
> >
> >     <RequestInterceptor
> >         className="org.apache.tomcat.request.SessionInterceptor"
> >         noCookies="true"/>
> >
> > NOTE:  Using URL rewriting does *not* catch every case of multiple windows
> > sharing session ids.  Consider that the user can right-click on a hyperlink
> > (containing the session id) and select "Open in New Window".  Because the
> > hyperlink being clicked had a session id in it already, the new window will
> > still be part of the old session -- so your app logic needs to be ready to
> > deal with this.
> >
>
> So it sounds like what I am looking for is to get the browser instances (IE and
> Netscape) to generate unique session ids.

No, unfortunately it has nothing to do with this -- session ids are generated by
the server, not by the client.  The sad fact of web application development is that
the stupid browsers do not do what we want in all circumstances (for example,
Netscape always sends the same cookies back no matter which Window you are in,
while IE doesn't -- some versions -- or can be configured not to -- some versions).

> Then, I need to perform URL-rewriting
> for all of my links within the webapp.  This will solve my problem if the user
> has opened up multiple browser instances (from the desktop, not through file
> --> new--> Window).
> I can use the <html:link> tag to accomplish this throughout the site.
>
> However, I will also need to add some sort of "smarts" to the app to handle the
> possibility that the user opened a new browser instance from the (file --> new
> --> Window) option.
>
> Am I on the right track?  (sorry if I sound so confused, but I am)  :)
>

Yep ... you *always* need to program defensively with respect to the chance that
the user will have multiple windows open as part of the same session.

>
> > Craig McClanahan

Craig



Mime
View raw message