tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeremy Pierson <>
Subject Re: Tomcat to read cookies on session start?
Date Fri, 16 Nov 2001 04:39:50 GMT
On Thursday, November 15, 2001, at 12:49 PM, Craig R. McClanahan wrote:

> On Thu, 15 Nov 2001, Deacon Marcus wrote:
>> Date: Thu, 15 Nov 2001 06:52:57 +0100
>> From: Deacon Marcus <>
>> Reply-To: Tomcat Users List <>
>> To: Tomcat Users List <>
>> Subject: RE: Tomcat to read cookies on session start?
>> Hi,
>>> -----Original Message-----
>>> From: Jeremy Pierson []
>>> Sent: Thursday, November 15, 2001 4:52 AM
>>> To:
>>> Subject: Tomcat to read cookies on session start?
>>> I need to create a new object and load it into the session attributes
>>> whenever a new session is created.  To make this more interesting, 
>>> this
>>> object needs to check for information stored in a cookie sent by the
>>> browser (stored from a prior visit) and fetch any related information
>>> from a database.
>>> I can use a HttpSessionListener to create an object and add it to the
>>> session whenever a new session is created, but the SessionListener 
>>> (and
>>> the Session it gives access to) do not give access to an
>>> HttpServletRequest object.  So how can I check for cookies or even the
>>> RemoteUser?  These two required resources ARE available in the
>>> HttpServletRequest object, but there is no means of getting to that
>>> object from an HttpSessionListener, is there?
>>> Is a servlet Filter my only option?  I'm running Tomcat 4.0.1.
>>> In case you're wondering, I don't want to *require* users to login to
>>> make these saved settings available, if they choose to use cookies.
>>> They are only required to login to perform tasks that modify certain
>>> data, or read restricted information.
>>> Many thanks in advance!
>>> -jeremy-
>> IMO the best option would be to create a filter checking if(
>> session.isNew() ) { doSomething(); }. Of course, that'd make it 
>> 2.3-only.
>> BTW, that's a very good point - when session is created, it's created
>> because of an incoming request, so it would be a nice addition 
>> something
>> like HttpSessionEvent.getRequest() to get the request causing session's
>> creation in HttpSessionListener.sessionCreated()? Anyone working on 
>> Servlets
>> 2.4 specs here, what do you think?
> More precisely, a session is created because the application told it 
> to --
> by calling request.getSession() -- not because the request happened to
> come in.  I would put the cookie-reading logic in the same place that 
> the
> session-creation logic lives.

*Any* jsp page or servlet can cause a new session, so you'd have to put 
this logic in *all* of them -- or use a filter (which I have), or 
rewrite your own Catalina classes to pass the HttpServletRequest object 
to the HttpSessionListener.

A session listener is the ideal choice for implementing logic that you 
want to occur regardless of which page/servlet triggered the session's 

I am currently using a filter to accomplish this, but it requires a more 
code and checking.  Also, once the user *does* authenticate, these 
variables must be reloaded (in case the user logged out and back in as 
somebody else).  An AuthenticationListener would also be very helpful.  
Otherwise, I'm back to using filters, or writing a new Authenticator.  I 
have *NO* problems with the FormAuthenticator that ships w/ Tomcat, but 
it'd be nice if I could have it call some other components to do a few 
things after the session has been authenticated.


>> Greetings, deacon Marcus
> Craig
> --
> To unsubscribe:   <>
> For additional commands: <>
> Troubles with the list: <>

To unsubscribe:   <>
For additional commands: <>
Troubles with the list: <>

View raw message