Disabling Cookies stops Session as well?

Question

I have been building a Web Application, So far I have implemented Login & Registration. User can register and then can login within the web application. Everything is working fine. What I am doing is When user clicks on Login button, a servlet is being invoked where I'm checking if the credentials are correct, If validated then Saving isLoggedIn in HttpSession and redirecting it to Home Page.

LoginServlet.java

protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException{
    boolean isValidated = false;
    ... // Service Layer is invoked here and checks for user validation

    // Assume isValidated to be true
    if(isValidated){
        HttpSession session = request.getSession();
        session.setAttribute("isLoggedIn", Boolean.valueOf(true));
        ...
        // redirected to /home
    }else{
        // redirected to /login?invalid
    }
}

HomeController.java

protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException{

    HttpSession session = request.getSession();
    Boolean isLoggedIn = (Boolean) session.getAttribute("isLoggedIn");
    if(isLoggedIn != null && isLoggedIn){
        ...
        // Service Layer is invoked to fetch `Home Page Data`
    }else{
        // redirected to /login?expired
    }
}

All of a sudden I have encountered a strange problem, If i disable cookies for localhost using FireBug I am not able to login anymore. No matter if I enter correct username or password each time I am being redirected to /login?expired.

I don't get it, Cookies are ment to be stored at client side and Session are stored at Server side, then Why session attribute can not be set if Cookies are disabled.

I have tried disabling Cookies for already built Web Application in Spring-MVC which is in production and having same issue there as well.

Answer 1

When cookies are enabled, the session is stored in a cookie under the name JSESSIONID.

If cookies are disabled, the container should rewrite the session id as a GET parameter (i.e. &JSESSIONID=1223456fds at the end of all URLs).

If the URL rewriting isn't on by default, see your container's documentation on how to enable it.

You might want to consider modern frameworks (for example Spring MVC with Thymeleaf) which will automate this for you. Otherwise you need to make sure you're rewriting URLs with response.encodeURL() as Ouney directs in his answer.