tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vincent-Olivier Arsenault" <>
Subject Session tracking question.
Date Thu, 05 Oct 2000 21:00:42 GMT

I'm an old jserv user and have a question regarding tomcat's session
tracking mechanism.


We have to use URI rewriting for many reasons:

1. One of our application spreads over many domains. A session must be
persistent over all of these domains (cookies are bounded to only one

2. You simply can't rely only on cookies because of proxy stripping, browser
configuration (Netscape 6 has cookies disabled without notice per default),
etc. relying only on cookie is the main cause of the 'dropped basket

however, i also want to be able to use cookies when they are available (nice
when users leave our site and come back by typing the url in their browser's
address field).

My problems with jserv were:

1. when cookies were enabled, you couldn't use the the encodeURL() function
(it simply would return the URI unchanged);

2. even when they were enabled, the cookies were sent only once (at session
creation time) so, the sessions were retrievable only on one domain.

i don't know if those behaviours are mendated by the servlet specification
or if they are just jserv's features.

anyways, i had to design our publishing framework with a new session
tracking mechanism that works like this:

1. check for session (from url rewriting).

1a. if session found, check for (our framework's custom) session cookie (for
this domain).
1a1. if cookie found, execute session-handling code.
1a2. if cookie not found, include it in next response,execute
session-handling code.

1b. if session is not found, check for (our framework's custom) session
cookie (for this domain).
1b1. if cookie found, redirect to rewritten url (for consistency, many uses
for that...).
1b2. if cookie not found (no session), execute session-handling code.

2. session-handling code (no document rendering nor streaming yet, so that
we can still write http response headers). this is were all the request
headers and parameters are processed to see if we need a session. after the
code is executed, we check for the existence of a session.

2a. if session is found, enable url rewriting, and send session cookie (for
this domain) and then render document.
2b. if session is not found, disable url rewriting and then render document.


all of this could be included in the servlet engine instead, so my question
is: is there such a mechanism in tomcat (3 or 4) and if not, why (because of
the specs, because for whatever reason it's a bad idea, etc.)?



View raw message