How the creation of HTTPSession works when request is coming from webserver instead of web browser?

Question

I have a very basic question how the creation of HTTPSession works.I know you folks will fire me on looking at this question as similar kind of questions exist.But there is reasoning why i am asking this question Here it is :-

I know httpsession is unique to web browser and server creates it when we do HttpServletRequest.getSession first time.It will maintaintain the same session till we close the browser. But i have little bit different scenario.I Have a web application on one tomcat instance say T1.On welcome page of this web application i have provided two links on click of which takes me to same java servlet(S1) of different web application hosted on another tomcat instance T2 (these two links opens two seperate pop up windows). Now first i click the link1 and inspect the sessionId in S1 and find its value as 1678. Now first i click the link2 and inspect the sessionId in S1 and find its value again as 1678. My question here is why i am getting the same session id for both the requests origintaing from link1 and link2? what can i do to to get the different session for both of these requests?

What i tried after looking for possible solutions on net :- On click of link1, in Servlet S1 , i copied session attributes, invalidate it and create new one. Say new session id is 8765 . Now i click the link2 and found the same session in this request too. So i further invalidate it and creates new one(say new session id is 4897). Ideally it should expire the first browser session (generated on click of link1). To verify it,i click anywhere on pop up 1 it does not get expired but i see again last generated session id i.e 4897. I am not getting why it attaching the same session id with both pop up windows?

Folks Thanks for your patience for taking your time out and read this long scenario?

Edit :-

      Cookie[] cookies = req.getCookies(); 
        if(cookies!=null) 
        for (int i = 0; i < cookies.length; i++) { 
         cookies[i].setMaxAge(0); 
         context.getResponse().getHttpServletResponse().addCookie(cookies[i]);
        } 

    HttpSession myAppSession = req.getSession();//line 1

Assume on click of link1 i get session id as 1234,then after click of link 2 also i get the same session id. As per my understanding, after executing the code above line 1 , i should get the different session id as i am setting the MaxAge as0 before getting the session. But its not happening?

Answer 1

I think this is what you are looking for :

By default session tracking happens by cookies. WebServer sends the session id to the browser in the form of cookie. And, the browser send the cookie having session id for the subsequent requests.

How does the browser identifies which cookies to send for a link/request? It is based on the these parameters. If the request matches these paramters the browser sends that particular cookie:

1. Domain: The domain name to which the request is made. Verify in your case if the domain name is same for two instances
2. Path: If the path name is same. Web Server send the context root as the path , requests under same context root share cookies.
3. Secure: Server sends if the given cookie is secure or not. Meaning, if the cookie can be sent on non-secure channel.

These parameters will let the browser to send the cookies to the server. And because the same cookie is sent for both the instances you are having. I think the session id is being shared.

If the request propeties such as Request URI, domain and path(i.e, context root) are same between requests, there is no way to tell the browser to use different cookies.

You have some options below:

1. Use different domain names.
2. Use different context roots.
3. Have a LB in front of two nodes and redirect to the correct node based on Session id