Under what conditions is a JSESSIONID created

Question

When   what are the conditions when a JSESSIONID is created   Is it per a domain  For instance  if I have a Tomcat app server  and I deploy multiple web applications  will a different JSESSIONID be created per context  web application   or is it shared across web applications as long as they are the same domain

User · Answer

Beware if your page is including other  jsp or  jspf  fragment   If you don t set    lt    page session  false    gt    on them as well  the parent page will end up starting a new session and setting the JSESSIONID cookie   For  jspf pages in particular  this happens if you configured your web xml with such a snippet    lt jsp-config gt       lt jsp-property-group gt           lt url-pattern gt   jspf lt  url-pattern gt       lt  jsp-property-group gt   lt  jsp-config gt    in order to enable scriptlets inside them

User · Answer

Here is some information about one more source of the JSESSIONID cookie:

I was just debugging some Java code that runs on a tomcat server. I was not calling request.getSession() explicitly anywhere in my code but I noticed that a JSESSIONID cookie was still being set.

I finally took a look at the generated Java code corresponding to a JSP in the work directory under Tomcat.

It appears that, whether you like it or not, if you invoke a JSP from a servlet, JSESSIONID will get created!

Added: I just found that by adding the following JSP directive:

<%@ page session="false" %>

you can disable the setting of JSESSIONID by a JSP.

User · Answer

CORRECTION  Please vote for Peter   tibran   s answer - it is more correct and complete   A  JSESSIONID  is the unique id of the http session - see the javadoc here  There  you ll find the following sentence     Session information is scoped only to the current web application  ServletContext   so information stored in one context will not be directly visible in another    So when you first hit a site  a new session is created and bound to the SevletContext  If you deploy multiple applications  the session is not shared   You can also invalidate the current session and therefore create a new one  e g  when switching from http to https  after login   it is a very good idea  to create a new session   Hope  this answers your question

User · Answer

JSESSIONID cookie is created sent when session is created  Session is created when your code calls request getSession   or request getSession true  for the first time  If you just want to get the session  but not create it if it doesn t exist  use request getSession false  -- this will return you a session or null  In this case  new session is not created  and JSESSIONID cookie is not sent   This also means that session isn t necessarily created on first request    you and your code are in control when the session is created   Sessions are per-context      SRV 7 3 Session Scope      HttpSession objects must be scoped at   the application  or servlet context    level  The underlying mechanism  such   as the cookie used to establish the   session  can be the same for different   contexts  but the object referenced    including the attributes in that   object  must never be shared between   contexts by the container     Servlet 2 4 specification   Update  Every call to JSP page implicitly creates a new session if there is no session yet  This can be turned off with the session  false  page directive  in which case session variable is not available on JSP page at all

User · Answer

For links generated in a JSP with custom tags  I had to use    lt    page session  false    gt    in the JSP   AND  request getSession   invalidate      in the Struts action

[java] Under what conditions is a JSESSIONID created?

The answer is

Examples related to java

Examples related to jsessionid

Tags