tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: HtttServletRequest.getSession()
Date Tue, 14 Sep 2010 15:02:46 GMT
Hash: SHA1


On 9/14/2010 9:51 AM, Brian McBride wrote:
>    https request: get session returns ?

Heh. I should have read your question before I posted my own.

> i.e. will the newly created session B replace session A, or will A
> continue to be returned for https requests?  I suspect it will return B,
> on the assumption the client does not store separate JSESSIONIDs for
> secure and insecure channels, but I'm not sure.

The client may differentiate between secure and non-secure cookies.
(I'll have to double-check that with the spec).

> I just had another extensive search and failed to find what I'm looking
> for.  One might think that section SRV.7.2 Creating a Session might
> cover it, but it doesn't and nor does any of SRV.7, the section on
> Sessions, that I have found.  The APIs define the result of the
> getSession() to be the "session associated with" this request.  A text
> search for "session associated with" finds nothing useful.

I'm not sure what you're asking. "The session" refers to an HttpSession
object, which should be obvious from the spec and the API itself. "The
request" should also be obvious, since we're talking about HTTP and a
HttpServletRequest object. The only question is what "associated" means.
This is pretty much entirely up to the client: either the client
provides a JSESSIONID cookie, provides a jsessionid URL parameter, or
provides nothing. In the first two cases, the session id is used to
associate the request with an HttpSession. In the latter case, there is
no session associated with the request. It's also possible that the
provided session id is not valid, in which case there is also no session
associated with the request.

If you call HttpServletRequest.getSession(true) and a session must be
created, then that newly-created HttpSession object becomes the session
associated with the request.

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message