Hi Peter,
Unfortunately, there's no foolproof way to do what you're trying to do.
The limitation is imposed on the client-side. Your success depends on
how much control you have over your users, i.e. it becomes a training
issue.
A good description of the issues involved is on page 134 of Hans
Bergsten's book, _JavaServer_Pages_.
Your best bet is to force tomcat to always use session rewriting instead
of cookies (assuming that's possible), but even that's not entirely
foolproof.
Good luck.
Peter Alfors wrote:
>
> Hello all,
>
> I originally posted a question about session ids on the struts-user
> list, but then realized that this is a better question for this list.
> Thanks for all the info about session ids (craig, gary, steven,
> etc). I hate to beat a dead horse, but I have ANOTHER question on
> session ids.
>
> I have changed to the tomcat server.xml to turn off cookies.
> <RequestInterceptor
> className="org.apache.tomcat.request.SessionInterceptor"
> noCookies="true"/>
>
> This is my complete jsp page:
>
> <HTML>
> <BODY>
> Session Id: <%= session.getId() %>
> </BODY>
> </HTML>
>
> I am using Tomcat 3.2.1 stand-alone.
>
> When I run this, the session id's are still the same for two separate
> instances of netscape 4.7. (both instances started from the desktop).
> What am I missing to force the session id's to be different?
>
> Any help would be immensely appreciated,
> Pete
>
> "Kramer, Gary" wrote:
>
> >
> >
> >
> > When I try Netscape4.7, it gives me different sessions IDs. As I
> > understand it, the session id is assigned by Tomcat (i.e.
> > jsessionid=asdkfjl), not by the browsers. If you disable cookie use
> > in Tomcat and there is no jsessionid parameter in the URL, then Tomcat
> > cannot link your request to any session and therefore has no choice
> > but to create a new session.
> >
> > Your explanation of using <html:link> and rewriting within a session
> > is exactly what I'm doing (or trying to do). I also put in some
> > defensive code to determine if the user messed with the URL or created
> > a new browser with the same URL. I put code in my Form bean's reset
> > method to double check that the request that is coming in actually
> > applies to the object the user was last working on. This also defends
> > against some of the problems caused by hitting the back and forward
> > buttons. Still, very annoying.
> >
> > -----Original Message-----
> > From: Peter Alfors
> > To: [EMAIL PROTECTED]
> > Sent: 2/1/01 5:11 PM
> > Subject: Re: session ids cont...
> >
> > I added the "noCookies" attribute and set it to "true". However, the
> > two
> > instances of Netscape 4.7 still show that they are using the same
> > session.
> > I.E. 5.0 does display different session ID still.
> >
> > see notes below...
> >
> > "Craig R. McClanahan" wrote:
> >
> > > Peter Alfors wrote:
> > >
> > > > "Kramer, Gary" wrote:
> > > >
> > > > >
> > > > >
> > > > >
> > > > > I had similiar problems. You need to turn off the use of
> > Cookies
> > on
> > > > > your server (in Tomcat this setting is in server.xml). When
> > the
> > user
> > > > > opens 2 browsers, they will always have different session ids in
> >
> > both
> > > > > IE and Netscape since the first URL they will use will not have
> > a
> > > > > session id included.
> > > > >
> > > >
> > > > How do I turn off the use of cookies in the server.xml? I only
> > see
> > one
> > > > location where cookies are mentioned.
> > > > <!-- Request processing -->
> > > > <!-- Session interceptor will extract the session id from
> > > > cookies and
> > > > deal with URL rewriting ( by fixing the URL )
> > > > -->
> > > > <RequestInterceptor
> > > >
> > className="org.apache.tomcat.request.SessionInterceptor"
> > />
> > > >
> > > > Do I comment out this section?
> > > >
> > >
> > > For Tomcat 3.2.1 there is a noCookies attribute on this entry that
> > defaults
> > > to "false". You need to set it to "true":
> > >
> > > <RequestInterceptor
> > > className="org.apache.tomcat.request.SessionInterceptor"
> > > noCookies="true"/>
> > >
> > > NOTE: Using URL rewriting does *not* catch every case of multiple
> > windows
> > > sharing session ids. Consider that the user can right-click on a
> > hyperlink
> > > (containing the session id) and select "Open in New Window".
> > Because
> > the
> > > hyperlink being clicked had a session id in it already, the new
> > window
> > will
> > > still be part of the old session -- so your app logic needs to be
> > ready to
> > > deal with this.
> > >
> >
> > So it sounds like what I am looking for is to get the browser
> > instances
> > (IE and
> > Netscape) to generate unique session ids. Then, I need to perform
> > URL-rewriting
> > for all of my links within the webapp. This will solve my problem if
> > the user
> > has opened up multiple browser instances (from the desktop, not
> > through
> > file
> > --> new--> Window).
> > I can use the <html:link> tag to accomplish this throughout the site.
> >
> > However, I will also need to add some sort of "smarts" to the app to
> > handle the
> > possibility that the user opened a new browser instance from the (file
> >
> > --> new
> > --> Window) option.
> >
> > Am I on the right track? (sorry if I sound so confused, but I am) :)
> >
> > > Craig McClanahan
> > <<Card for Peter Alfors>>
>
> ------------------------------------------------------------------------
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, email: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
