Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Httpsession is applicable for per user or per browser?

Tags:

http

web-applications

servlets

tomcat

I am using tomcat as my webserver. I hit some url in IE and put some object in HttpSession for that request.

Now my questions:

  1. If I close the browser and and hit the url in new browser, will the object I earlier put in session will be available?

  2. If I don't close the browser and and hit the url in a new tab/window, will the object i earlier put in session will be available?

The HttpSession javadoc says the following:

Provides a way to identify a user across more than one page request or visit to a Web site and to store information about that user.

As per my understanding here term "user" means the "browser". As soon as we open a new browser, then Tomcat/any webserver treats it as a new user. Is this correct? Does Tomcat achieve it using cookies or rewriting URLs?

The javadoc also says:

Session information is scoped only to the current web application (ServletContext).

If that's is the case, any object we set in session should be visible to all user request even firing from different machines as there is servlet context per webserver. But this is true in case of application scope not in session scope. I did not get what it is trying to say here.

like image 970
M Sach Avatar asked Jan 01 '26 04:01

M Sach

2 Answers

The session is indeed tied to a single browser, and all frames/tabs opened in this browser share the same session. If you exit the browser, you lose the session.

Session tracking is implemented using cookies, but can fall back to URL rewriting if cookies are not accepted by the browser. This, however, requires the developer to be scrupulous and to always use appropriate methods or tags in order to encode the URL of every link and action of the application.

What the last part means is that if you deploy two different webapps in the same servlet container, and the same user, with the same browser, uses both applications, he will have two different sessions: one for each webapp. The session of the first webapp is completely isolated from the session of the second one.

like image 110
JB Nizet Avatar answered Jan 03 '26 23:01

JB Nizet

I think this depends on the server implementation (session cookie or parameter in URL).

By default, Tomcat uses session-cookies, and falls backs on URL parameter if the user-agent refuses cookies.

So the behaviour changes, of course.

  • With cookies
    1. no
    2. yes
  • with URL
    1. no ; yes if full URL with &JSESSIONID copied
    2. no ; yes if full URL with &JSESSIONID copied
like image 30
rds Avatar answered Jan 04 '26 00:01

rds
Sign in to Comment

Related questions

Making http request in J2ME
Javascript login using cURL in bash script
ASP.NET login does not redirect just logged user properly in Firefox and IE, but works with Chrome
Is HTTP 1.1 pipelining discouraged in native mobile apps?
cURL http post file upload using curl --data in linux command line
How to perform HTTP-Request during pre-processing in Jmeter?
Retrofit2 no key name on URL parameter

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!