tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: cookie-based session tracking, how to start a new session
Date Fri, 01 Feb 2008 14:36:13 GMT
Hash: SHA1


Dave wrote:
| For cookie-based session tracking,  when a user clicks a link on a
| jsp page, how to make the request belong to a new session, not
| existing session.

Since there can only be one session (JSESSIONID) cookie for any given
host/path combination (not entirely true, but Tomcat will pick one and
stick with it), the best you can do with cookies is abandon your current
session and start an entirely new one.

If you want separate windows with separate sessions you need to do one
of the following (in increasing order of difficulty):

1. Use two separate instances of the web browser.
2. Use two different web browsers (e.g. MSIE and ff)
3. Disable cookie-based session tracking (which will fall-back to
~   URL-rewriting), and remove the HttpServletResponse.encodeURL
~   call from the URL you want to act like a jumping-off point.
4. Hack Tomcat's session manager so that it uses a session cookie
~   with a name other than JSESSIONID (i.e. it will accept both),
~   and include some way to notify the session manager that the existing
~   (JSESSIONID) session should be ignored in favor of the other one
~   (maybe MYJSESSIONID).

Note that the last one is a total PITA to do in the first place, ties
you to a single version of Tomcat (unless you re-hack each one), and
breaks the servlet specification (which mandates that the session cookie
name is JSESSIONID).

Hope that helps,
- -chris
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message