Yep, since it has no JSessionID on the url, it must (by definition) be
without a session, so Tomcat creates one for it.
-----Original Message-----
From: Peter Alfors [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 06, 2001 4:51 PM
To: [EMAIL PROTECTED]
Subject: Re: Session ids (netscape)
Thanks for the response. From the messages below, it appears that problem
is
not client-side.
It sounds like if a 'jsessionid' is not passed with the request, then Tomcat
will create a new session.
Is this correct?
Pete
Jim Crossley wrote:
> Hi Peter,
>
> Unfortunately, there's no foolproof way to do what you're trying to do.
> The limitation is imposed on the client-side. Your success depends on
> how much control you have over your users, i.e. it becomes a training
> issue.
>
> A good description of the issues involved is on page 134 of Hans
> Bergsten's book, _JavaServer_Pages_.
>
> Your best bet is to force tomcat to always use session rewriting instead
> of cookies (assuming that's possible), but even that's not entirely
> foolproof.
>
> Good luck.
>
> Peter Alfors wrote:
> >
> > Hello all,
> >
> > I originally posted a question about session ids on the struts-user
> > list, but then realized that this is a better question for this list.
> > Thanks for all the info about session ids (craig, gary, steven,
> > etc). I hate to beat a dead horse, but I have ANOTHER question on
> > session ids.
> >
> > I have changed to the tomcat server.xml to turn off cookies.
> > <RequestInterceptor
> > className="org.apache.tomcat.request.SessionInterceptor"
> > noCookies="true"/>
> >
> > This is my complete jsp page:
> >
> > <HTML>
> > <BODY>
> > Session Id: <%= session.getId() %>
> > </BODY>
> > </HTML>
> >
> > I am using Tomcat 3.2.1 stand-alone.
> >
> > When I run this, the session id's are still the same for two separate
> > instances of netscape 4.7. (both instances started from the desktop).
> > What am I missing to force the session id's to be different?
> >
> > Any help would be immensely appreciated,
> > Pete
> >
> > "Kramer, Gary" wrote:
> >
> > >
> > >
> > >
> > > When I try Netscape4.7, it gives me different sessions IDs. As I
> > > understand it, the session id is assigned by Tomcat (i.e.
> > > jsessionid=asdkfjl), not by the browsers. If you disable cookie use
> > > in Tomcat and there is no jsessionid parameter in the URL, then Tomcat
> > > cannot link your request to any session and therefore has no choice
> > > but to create a new session.
> > >
> > > Your explanation of using <html:link> and rewriting within a session
> > > is exactly what I'm doing (or trying to do). I also put in some
> > > defensive code to determine if the user messed with the URL or created
> > > a new browser with the same URL. I put code in my Form bean's reset
> > > method to double check that the request that is coming in actually
> > > applies to the object the user was last working on. This also defends
> > > against some of the problems caused by hitting the back and forward
> > > buttons. Still, very annoying.
> > >
> > > -----Original Message-----
> > > From: Peter Alfors
> > > To: [EMAIL PROTECTED]
> > > Sent: 2/1/01 5:11 PM
> > > Subject: Re: session ids cont...
> > >
> > > I added the "noCookies" attribute and set it to "true". However, the
> > > two
> > > instances of Netscape 4.7 still show that they are using the same
> > > session.
> > > I.E. 5.0 does display different session ID still.
> > >
> > > see notes below...
> > >
> > > "Craig R. McClanahan" wrote:
> > >
> > > > Peter Alfors wrote:
> > > >
> > > > > "Kramer, Gary" wrote:
> > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > I had similiar problems. You need to turn off the use of
> > > Cookies
> > > on
> > > > > > your server (in Tomcat this setting is in server.xml). When
> > > the
> > > user
> > > > > > opens 2 browsers, they will always have different session ids in
> > >
> > > both
> > > > > > IE and Netscape since the first URL they will use will not have
> > > a
> > > > > > session id included.
> > > > > >
> > > > >
> > > > > How do I turn off the use of cookies in the server.xml? I only
> > > see
> > > one
> > > > > location where cookies are mentioned.
> > > > > <!-- Request processing -->
> > > > > <!-- Session interceptor will extract the session id from
> > > > > cookies and
> > > > > deal with URL rewriting ( by fixing the URL )
> > > > > -->
> > > > > <RequestInterceptor
> > > > >
> > > className="org.apache.tomcat.request.SessionInterceptor"
> > > />
> > > > >
> > > > > Do I comment out this section?
> > > > >
> > > >
> > > > For Tomcat 3.2.1 there is a noCookies attribute on this entry that
> > > defaults
> > > > to "false". You need to set it to "true":
> > > >
> > > > <RequestInterceptor
> > > > className="org.apache.tomcat.request.SessionInterceptor"
> > > > noCookies="true"/>
> > > >
> > > > NOTE: Using URL rewriting does *not* catch every case of multiple
> > > windows
> > > > sharing session ids. Consider that the user can right-click on a
> > > hyperlink
> > > > (containing the session id) and select "Open in New Window".
> > > Because
> > > the
> > > > hyperlink being clicked had a session id in it already, the new
> > > window
> > > will
> > > > still be part of the old session -- so your app logic needs to be
> > > ready to
> > > > deal with this.
> > > >
> > >
> > > So it sounds like what I am looking for is to get the browser
> > > instances
> > > (IE and
> > > Netscape) to generate unique session ids. Then, I need to perform
> > > URL-rewriting
> > > for all of my links within the webapp. This will solve my problem if
> > > the user
> > > has opened up multiple browser instances (from the desktop, not
> > > through
> > > file
> > > --> new--> Window).
> > > I can use the <html:link> tag to accomplish this throughout the site.
> > >
> > > However, I will also need to add some sort of "smarts" to the app to
> > > handle the
> > > possibility that the user opened a new browser instance from the (file
> > >
> > > --> new
> > > --> Window) option.
> > >
> > > Am I on the right track? (sorry if I sound so confused, but I am) :)
> > >
> > > > Craig McClanahan
> > > <<Card for Peter Alfors>>
> >
>
------------------------------------------------------------------------
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, email: [EMAIL PROTECTED]
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, email: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
