Session without cookies

When we have a conversation on HttpSession we implicitly use cookies. Things get complicated if the client does not accept cookies. In this case we can still keep a conversation on session, but we should do some more job.

We have no way to see if the client does not accept cookies, we just find out that any time we call isNew() on the request session, it returns true.

The way for overcoming the lack of cookies, is falling back to the URL rewriting mechanism. That means, the session ID is returned to the caller as extra parameter in the request URL. Also in this case, all the job is done by the container, but only if we explicitly ask for encoding the URL (and if the container detects the cookies are not accepted by the client).

So, we should generate a link to the servlet like this:
out.println("<a href=\"" + response.encodeURL("/") +
   "\">click me</a>");
The nuisance here is that we can't encode URL in static HTML pages, and if we think a bit about it, we see that it can't be in another way. So, we should use only servlet and JSP pages.

This this is just an abstract of what I what I read on this matter in the sixth chapter of Head First Servlet and JSP, a fun ad interesting book on Java EE.

No comments:

Post a Comment