Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Session is lost and created as new in every servlet request

I have this big issue. My current session is gone every time I made a new request to Server.

I have checked in a lot of places. I can't find what's the problem. I also have included session-config in web.xml both in tomcat and application. I also enabled to accept cookies to my browsers. Tested in every browser. It's not working.

I am just developing a simple java ee applcation using JSP/Servlet. I am facing the problem only after I have deployed to tomcat in server machine.

like image 663
Min Soe Avatar asked Jan 26 '10 08:01

Min Soe


People also ask

What is session in servlet how it is created?

Session simply means a particular interval of time. Session Tracking is a way to maintain state (data) of an user. It is also known as session management in servlet.

How can you maintain session in servlet?

Servlet Session Management is a mechanism in Java used by Web container to store session information. Session tracking is a way to manage the data of a user, this is known as session management in servlet. Session in Java are managed through different ways, such as, HTTP Session API, Cookies, URL rewriting, etc.

What is session in servlets?

Session tracking is a mechanism that servlets use to maintain state about a series of requests from the same user (that is, requests originating from the same browser) across some period of time. Sessions are shared among the servlets accessed by a client.

Why Jsessionid is created?

JSESSIONID is a cookie generated by Servlet containers and used for session management in J2EE web applications for HTTP protocol. If a Web server is using a cookie for session management, it creates and sends JSESSIONID cookie to the client and then the client sends it back to the server in subsequent HTTP requests.


1 Answers

One possible cause for this is having a "naked" host name (i.e. one without a domain part). That's fairly common if you're working in an Intranet.

The problem is that almost all browsers cookies will not accept cookies for hostnames without a domain name. That's done in order to prevent evilsite.com from setting a Cookie for com (which would be bad, as it would be the ultimate tracking cookie).

So if you access your applicaton via http://examplehost/ it won't accept any cookie, while for http://examplehost.localdomain/ it will accept (and return) the cookie just fine.

The nasty thing about that is that the server can't distinguish between "the browser got the cookie and ignored it" and "the browser never got the cookie". So each single access will look like a completely new sesson to the server.

like image 197
Joachim Sauer Avatar answered Sep 20 '22 21:09

Joachim Sauer