tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Moving from a very old Tomcat to a new Tomcat.
Date Wed, 11 Jun 2008 16:11:22 GMT

Christopher Schultz wrote:

> | (And, as a secondary question, what does one exactly put in it then, so
> | that it still matches the "session key" ? Or can you just put something
> | arbitrary in it, and Tomcat will use whatever is there to identify the
> | session data store ?)
> The cookie must be called JSESSIONID, and the value must be the id of
> the session. So, you can just do something like this:
> response.addCookie(new Cookie("JSESSIONID",
> ~                   request.getSession().getId());
Christopher Schultz (also) wrote:
> Tomcat generates the cookie the first time you call
> HttpServletRequest.getSession(true) and the session is actually created.

I'm possibly nitpicking, but still trying to get a full crash-proof 
explanation :

Imagine the following scenario (and sorry if some of the terms I'm using 
are not the official ones) :

A servlet context consists of a servlet (code), and a context descriptor 
(web.xml) which points to this servlet code, and also establishes a 
"security context" (in other words says that access to this servlet is 
subject to certain criteria).
A browser sends a request for this servlet context.  Tomcat receives the 
request, and determines that it needs authentication.
At this point, the code of the servlet has not yet been invoked, so 
there has been no opportunity for the servlet to call 
(true/false ?)
So according to the above, neither the session nor the JSESSIONID cookie 
have yet been created.
(true/false ?)
Since there is no session, there is no stored user-id, and Tomcat sends 
back a 401 response (or a login form, depending).
There cannot be a JSESSIONID cookie in this server response, because no 
session exists yet.
The user authenticates, the authentication is checked, and now by some 
mechanism the call is redirected to the originally-requested URL.
But still according to the above, there is no session yet, because 
HttpServletRequest.getSession() has still not been called.

But Tomcat must be able to retrieve the authenticated user-id somewhere, 
before allowing the servlet code to be executed.  So if there is no 
session yet, where does it get it ?

The above cannot all be correct, there is a contradiction somewhere.  Or 
is it just me being thick ?

(I also have a problem with the 
HttpServletRequest.isRequestedSessionIdValid() call, because I fail to 
see a case where the return value would be false.  But I'll get to that 
one later, if I haven't exhausted everyone's patience by then.)


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message