Christopher Schultz wrote:
[...]
| (And, as a secondary question, what does one exactly put in it then, so
| that it still matches the "session key" ? Or can you just put something
| arbitrary in it, and Tomcat will use whatever is there to identify the
| session data store ?)
The cookie must be called JSESSIONID, and the value must be the id of
the session. So, you can just do something like this:
response.addCookie(new Cookie("JSESSIONID",
~ request.getSession().getId());
Christopher Schultz (also) wrote:
Tomcat generates the cookie the first time you call
HttpServletRequest.getSession(true) and the session is actually created.
I'm possibly nitpicking, but still trying to get a full crash-proof
explanation :
Imagine the following scenario (and sorry if some of the terms I'm using
are not the official ones) :
A servlet context consists of a servlet (code), and a context descriptor
(web.xml) which points to this servlet code, and also establishes a
"security context" (in other words says that access to this servlet is
subject to certain criteria).
A browser sends a request for this servlet context. Tomcat receives the
request, and determines that it needs authentication.
At this point, the code of the servlet has not yet been invoked, so
there has been no opportunity for the servlet to call
HttpServletRequest.getSession().
(true/false ?)
So according to the above, neither the session nor the JSESSIONID cookie
have yet been created.
(true/false ?)
Since there is no session, there is no stored user-id, and Tomcat sends
back a 401 response (or a login form, depending).
There cannot be a JSESSIONID cookie in this server response, because no
session exists yet.
The user authenticates, the authentication is checked, and now by some
mechanism the call is redirected to the originally-requested URL.
But still according to the above, there is no session yet, because
HttpServletRequest.getSession() has still not been called.
But Tomcat must be able to retrieve the authenticated user-id somewhere,
before allowing the servlet code to be executed. So if there is no
session yet, where does it get it ?
The above cannot all be correct, there is a contradiction somewhere. Or
is it just me being thick ?
(I also have a problem with the
HttpServletRequest.isRequestedSessionIdValid() call, because I fail to
see a case where the return value would be false. But I'll get to that
one later, if I haven't exhausted everyone's patience by then.)
André
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
