You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by jo...@ultratechpartners.com on 2007/01/04 05:14:21 UTC

URL rewriting For Session Tracking

Hi Everyone,

I tried to find answer to this question on the archive and documentation, but I couldn't find a clear answer which is weird since I expected to find an answer easily. All I want to do is 'URL rewriting For Session Tracking'. Do I have to do this manually in my code (using response.encodeURL), or is there an automatic way of doing this in Tomcat (such as using a filter or value) that would handle this for me? I've been looking at HttpRedirectFilter and UrlRewriteFilter which are open source filters, but they seem to do a lot of rewriting, but not for session tracking.

Thanks for Your Help,

Kasra

Re: URL rewriting For Session Tracking

Posted by Mikolaj Rydzewski <mi...@ceti.pl>.

jobs@ultratechpartners.com wrote:
> All I want to do is 'URL rewriting For Session Tracking'. Do I have to do this manually in my code (using response.encodeURL), or is there an automatic way of doing this in Tomcat (such as using a filter or value) that would handle this for me?
>   
Add cookies="false" to context.xml of your application and use JSTL 
c:url, Struts html:link, etc depending on your application design.

http://tomcat.apache.org/tomcat-5.5-doc/config/context.html

-- 
Mikolaj Rydzewski <mi...@ceti.pl>

Re: URL rewriting For Session Tracking

Posted by Len Popp <le...@gmail.com>.

Or if you use the JSP standard tag lib (JSTL) you can do: <c:url value="
second.jsp">second page</c:url>
-- 
Len

On 1/4/07, Bill Barker <wb...@wilshire.com> wrote:
>
> Usually you would use a tag lib for this sort of thing.  With struts, it
> would look something like:
>   <html:a href="second.jsp">second page </html:a>
>
> <jo...@ultratechpartners.com> wrote in message
> news:00d501c72fc8$1cb11340$3c34de0a@shahpoor...
> > Your reply answered another question that I had.  But I think I still
> > haven't described my current question clearly.  suppose I have 3 JSP
> pages
> > in my application.
> > --
> > first.jsp
> > second.jsp
> > third.jsp
> > --
> > Now, in my first.jsp, I have nothing but 2 links to the other two JSP
> > pages. If I want the session to be maintain when use clicks on the links
> > to go to the other pages, then can first.jsp be the following:
> > --
> > <a href="second.jsp">second page</a>
> > <a href="third.jsp">third page</a>
> > --
> > Or, the code in first.jsp must be the following:
> > --
> > <a href='<%=response.encodeURL("second.jsp")%>'>second page</a>
> > <a href='<%=response.encodeURL("second.jsp")'%>>second page</a>
> > ----
> >
> > Note:  If I use the first syntax, then unless Tomcat or some patch or
> > filter parse the code and add the jsessionid to the link automatically,
> > then the user will be losing the session when to goes from first.jsp to
> > the other ones.  And that's my question; can I use the first syntax.  Or
> > there is no way but to use the second syntax if I want the session to be
> > kept.
> >
> >
> > Thanks,
> > Kasra
> > ----- Original Message -----
> > From: "Caldarale, Charles R" <Ch...@unisys.com>
> > To: "Tomcat Users List" <us...@tomcat.apache.org>
> > Sent: Wednesday, January 03, 2007 9:56 PM
> > Subject: RE: URL rewriting For Session Tracking
> >
> >
> >> From: jobs@ultratechpartners.com [mailto:jobs@ultratechpartners.com]
> >> Subject: Re: URL rewriting For Session Tracking
> >>
> >> Basically I have a webapp and I want to have a session
> >> for each user that connects to my server (just the usual
> >> servlet session that is created with jsessionid).  Do I
> >> have to wrap every link that I have in my webapp with an
> >> Httpservletresponse.encodeURL()?
> >
> > No.  As I recall, Tomcat will not create a session automatically unless
> > it's absolutely necessary (e.g., tracking authenticated users) or the
> > application requests it.  I'm not aware of any config parameter that
> > will force creation of sessions for all clients, but all you should have
> > to do is put the following somewhere in the request processing path of
> > each servlet:
> >        request.getSession(true);
> >
> > This doesn't need to go into your servlet or JSP code - you can write a
> > simple filter class that does nothing but run the above code to force
> > the creation of a session if one doesn't already exist.  The filter
> > mapping can go into conf/web.xml so it will apply to all apps deployed
> > within your Tomcat instance, or in each appropriate webapp's web.xml
> > file.
> >
> > Note that per the servlet spec, Tomcat will use cookies not URL
> > rewriting for session tracking; it will fall back to URL rewriting if
> > the client refuses cookies.  You can also disable use of cookies by
> > setting cookies="false" in your <Context> elements (or the global
> > conf/context.xml file).
> >
> > - Chuck
> >
> >
> > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> > MATERIAL and is thus for use only by the intended recipient. If you
> > received this in error, please contact the sender and delete the e-mail
> > and its attachments from all computers.
> >
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
> >
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

Re: URL rewriting For Session Tracking

Posted by jo...@ultratechpartners.com.

Hi Bill,

In my case, I can't use taglibs since I am generating the code dynamically.
But even if I could use taglibs, then part of what the taglib does is really
using response.encodeURL("second.jsp") to do the URL rewriting without you
having to worry about it.  So, I think the ultimate answer is that yes, I
need to do URL rewriting for each individual link in my server manually if I
want user connections to have a session associated with them; any link that
I don't do this for, and the user clicks on will cause the session to be
lost.  And as a result, there is no magic switch that Tomcat or any filter
has that I can turn on to have this automatically done.  This is really what
I want to know, that there is no magic switch that I am missing on.

The problem is that I have thousands of links in my pages, and now I have to
go in and change each one of them so that they do URL rewriting in case the
user's doesn't allow cookies.

Am I correct in assuming that there is no magic switch in Tomcat or anywhere
to have url rewriting done for me?

By the way, I know that I can write a servlet filter that would parse the
response being sent to the user and do URL rewriting for any link in the
response, but I think that is considered a bad practice since then every
link will have the jsessionid with it.  Suppose I am linking to
www.yahoo.com which is outside my application, then the jsessionid will be
associated with that link as well which someone had mentioned it is not a
safe practice.

Thanks,
Kasra






----- Original Message ----- 
From: "Bill Barker" <wb...@wilshire.com>
To: <us...@tomcat.apache.org>
Sent: Wednesday, January 03, 2007 11:51 PM
Subject: Re: URL rewriting For Session Tracking


> Usually you would use a tag lib for this sort of thing.  With struts, it 
> would look something like:
>  <html:a href="second.jsp">second page </html:a>
>
> <jo...@ultratechpartners.com> wrote in message 
> news:00d501c72fc8$1cb11340$3c34de0a@shahpoor...
>> Your reply answered another question that I had.  But I think I still 
>> haven't described my current question clearly.  suppose I have 3 JSP 
>> pages in my application.
>> --
>> first.jsp
>> second.jsp
>> third.jsp
>> --
>> Now, in my first.jsp, I have nothing but 2 links to the other two JSP 
>> pages. If I want the session to be maintain when use clicks on the links 
>> to go to the other pages, then can first.jsp be the following:
>> --
>> <a href="second.jsp">second page</a>
>> <a href="third.jsp">third page</a>
>> --
>> Or, the code in first.jsp must be the following:
>> --
>> <a href='<%=response.encodeURL("second.jsp")%>'>second page</a>
>> <a href='<%=response.encodeURL("second.jsp")'%>>second page</a>
>> ----
>>
>> Note:  If I use the first syntax, then unless Tomcat or some patch or 
>> filter parse the code and add the jsessionid to the link automatically, 
>> then the user will be losing the session when to goes from first.jsp to 
>> the other ones.  And that's my question; can I use the first syntax.  Or 
>> there is no way but to use the second syntax if I want the session to be 
>> kept.
>>
>>
>> Thanks,
>> Kasra
>> ----- Original Message ----- 
>> From: "Caldarale, Charles R" <Ch...@unisys.com>
>> To: "Tomcat Users List" <us...@tomcat.apache.org>
>> Sent: Wednesday, January 03, 2007 9:56 PM
>> Subject: RE: URL rewriting For Session Tracking
>>
>>
>>> From: jobs@ultratechpartners.com [mailto:jobs@ultratechpartners.com]
>>> Subject: Re: URL rewriting For Session Tracking
>>>
>>> Basically I have a webapp and I want to have a session
>>> for each user that connects to my server (just the usual
>>> servlet session that is created with jsessionid).  Do I
>>> have to wrap every link that I have in my webapp with an
>>> Httpservletresponse.encodeURL()?
>>
>> No.  As I recall, Tomcat will not create a session automatically unless
>> it's absolutely necessary (e.g., tracking authenticated users) or the
>> application requests it.  I'm not aware of any config parameter that
>> will force creation of sessions for all clients, but all you should have
>> to do is put the following somewhere in the request processing path of
>> each servlet:
>>        request.getSession(true);
>>
>> This doesn't need to go into your servlet or JSP code - you can write a
>> simple filter class that does nothing but run the above code to force
>> the creation of a session if one doesn't already exist.  The filter
>> mapping can go into conf/web.xml so it will apply to all apps deployed
>> within your Tomcat instance, or in each appropriate webapp's web.xml
>> file.
>>
>> Note that per the servlet spec, Tomcat will use cookies not URL
>> rewriting for session tracking; it will fall back to URL rewriting if
>> the client refuses cookies.  You can also disable use of cookies by
>> setting cookies="false" in your <Context> elements (or the global
>> conf/context.xml file).
>>
>> - Chuck
>>
>>
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>> MATERIAL and is thus for use only by the intended recipient. If you
>> received this in error, please contact the sender and delete the e-mail
>> and its attachments from all computers.
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> 


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: URL rewriting For Session Tracking

Posted by Bill Barker <wb...@wilshire.com>.

Usually you would use a tag lib for this sort of thing.  With struts, it 
would look something like:
  <html:a href="second.jsp">second page </html:a>

<jo...@ultratechpartners.com> wrote in message 
news:00d501c72fc8$1cb11340$3c34de0a@shahpoor...
> Your reply answered another question that I had.  But I think I still 
> haven't described my current question clearly.  suppose I have 3 JSP pages 
> in my application.
> --
> first.jsp
> second.jsp
> third.jsp
> --
> Now, in my first.jsp, I have nothing but 2 links to the other two JSP 
> pages. If I want the session to be maintain when use clicks on the links 
> to go to the other pages, then can first.jsp be the following:
> --
> <a href="second.jsp">second page</a>
> <a href="third.jsp">third page</a>
> --
> Or, the code in first.jsp must be the following:
> --
> <a href='<%=response.encodeURL("second.jsp")%>'>second page</a>
> <a href='<%=response.encodeURL("second.jsp")'%>>second page</a>
> ----
>
> Note:  If I use the first syntax, then unless Tomcat or some patch or 
> filter parse the code and add the jsessionid to the link automatically, 
> then the user will be losing the session when to goes from first.jsp to 
> the other ones.  And that's my question; can I use the first syntax.  Or 
> there is no way but to use the second syntax if I want the session to be 
> kept.
>
>
> Thanks,
> Kasra
> ----- Original Message ----- 
> From: "Caldarale, Charles R" <Ch...@unisys.com>
> To: "Tomcat Users List" <us...@tomcat.apache.org>
> Sent: Wednesday, January 03, 2007 9:56 PM
> Subject: RE: URL rewriting For Session Tracking
>
>
>> From: jobs@ultratechpartners.com [mailto:jobs@ultratechpartners.com]
>> Subject: Re: URL rewriting For Session Tracking
>>
>> Basically I have a webapp and I want to have a session
>> for each user that connects to my server (just the usual
>> servlet session that is created with jsessionid).  Do I
>> have to wrap every link that I have in my webapp with an
>> Httpservletresponse.encodeURL()?
>
> No.  As I recall, Tomcat will not create a session automatically unless
> it's absolutely necessary (e.g., tracking authenticated users) or the
> application requests it.  I'm not aware of any config parameter that
> will force creation of sessions for all clients, but all you should have
> to do is put the following somewhere in the request processing path of
> each servlet:
>        request.getSession(true);
>
> This doesn't need to go into your servlet or JSP code - you can write a
> simple filter class that does nothing but run the above code to force
> the creation of a session if one doesn't already exist.  The filter
> mapping can go into conf/web.xml so it will apply to all apps deployed
> within your Tomcat instance, or in each appropriate webapp's web.xml
> file.
>
> Note that per the servlet spec, Tomcat will use cookies not URL
> rewriting for session tracking; it will fall back to URL rewriting if
> the client refuses cookies.  You can also disable use of cookies by
> setting cookies="false" in your <Context> elements (or the global
> conf/context.xml file).
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> 




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: URL rewriting For Session Tracking

Posted by jo...@ultratechpartners.com.

Your reply answered another question that I had.  But I think I still 
haven't described my current question clearly.  suppose I have 3 JSP pages 
in my application.
--
first.jsp
second.jsp
third.jsp
--
Now, in my first.jsp, I have nothing but 2 links to the other two JSP pages. 
If I want the session to be maintain when use clicks on the links to go to 
the other pages, then can first.jsp be the following:
--
<a href="second.jsp">second page</a>
<a href="third.jsp">third page</a>
--
Or, the code in first.jsp must be the following:
--
<a href='<%=response.encodeURL("second.jsp")%>'>second page</a>
<a href='<%=response.encodeURL("second.jsp")'%>>second page</a>
----

Note:  If I use the first syntax, then unless Tomcat or some patch or filter 
parse the code and add the jsessionid to the link automatically, then the 
user will be losing the session when to goes from first.jsp to the other 
ones.  And that's my question; can I use the first syntax.  Or there is no 
way but to use the second syntax if I want the session to be kept.


Thanks,
Kasra
----- Original Message ----- 
From: "Caldarale, Charles R" <Ch...@unisys.com>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Wednesday, January 03, 2007 9:56 PM
Subject: RE: URL rewriting For Session Tracking


> From: jobs@ultratechpartners.com [mailto:jobs@ultratechpartners.com]
> Subject: Re: URL rewriting For Session Tracking
>
> Basically I have a webapp and I want to have a session
> for each user that connects to my server (just the usual
> servlet session that is created with jsessionid).  Do I
> have to wrap every link that I have in my webapp with an
> Httpservletresponse.encodeURL()?

No.  As I recall, Tomcat will not create a session automatically unless
it's absolutely necessary (e.g., tracking authenticated users) or the
application requests it.  I'm not aware of any config parameter that
will force creation of sessions for all clients, but all you should have
to do is put the following somewhere in the request processing path of
each servlet:
        request.getSession(true);

This doesn't need to go into your servlet or JSP code - you can write a
simple filter class that does nothing but run the above code to force
the creation of a session if one doesn't already exist.  The filter
mapping can go into conf/web.xml so it will apply to all apps deployed
within your Tomcat instance, or in each appropriate webapp's web.xml
file.

Note that per the servlet spec, Tomcat will use cookies not URL
rewriting for session tracking; it will fall back to URL rewriting if
the client refuses cookies.  You can also disable use of cookies by
setting cookies="false" in your <Context> elements (or the global
conf/context.xml file).

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: URL rewriting For Session Tracking

Posted by David Delbecq <de...@oma.be>.

En l'instant précis du 01/04/07 16:32, fausto mancini s'exprimait dans
toute sa noblesse:
>
>
> David Delbecq wrote:
>
>> 2) in some cases it can be useful to have 2 sessions in same browser
>> (something you can't do with cookies)
>
> Hello David,
> I've never thought about that; it looks interesting. Do you have a
> real use case for that?
>
> Thank you in advance.
>
> _F_M
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Several

1) you need to debug a concurrency problem with 2 users in your webapp.
It's easier to reproduce it if you can log in as 2 different users at
the same time (just disable cookies on browser and done)
2) A site admin want to have on the site the 'look of the site as
anonymous' without having to logout/log in
3) You want to check how webapp behave when one user has 2 sessions
(active on 2 different terminals for example)

Of course, first is anyway incompatible with http based
authentification, can only work on form based authentification (because
browser caches the user/pass)


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: URL rewriting For Session Tracking

Posted by fausto mancini <fa...@ictechnology.it>.


David Delbecq wrote:

> 2) in some cases it can be useful to have 2 sessions in same browser
> (something you can't do with cookies)

Hello David,
I've never thought about that; it looks interesting. Do you have a real 
use case for that?

Thank you in advance.

_F_M

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: URL rewriting For Session Tracking

Posted by David Delbecq <de...@oma.be>.

En l'instant précis du 01/04/07 16:37, Caldarale, Charles R s'exprimait
dans toute sa noblesse:
>> From: David Delbecq [mailto:delbd@oma.be] 
>> Subject: Re: URL rewriting For Session Tracking
>>     
>
> Many thanks to Chris and David for the enlightenment.
>
> Another question: How would one handle links embedded in static content?
> Is it simply a matter of "don't do that"?
>   
Yes and no :)

Don't do that if you intend to use default static resource serving (the
servlet you don't see and that tomcat maps to your static ressources)

But there are ways around it
1) as suggested earlier in this thread, create a filter that will try to
locate your links and rewrite them (quite tricky)
2) creates a servlet that maps to *.xhtml and does the parsing (less
tricky as none of the urls inside static ressources are already encoded)
>  - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>   


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: URL rewriting For Session Tracking

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chuck,

Caldarale, Charles R wrote:
>> From: David Delbecq [mailto:delbd@oma.be] 
>> Subject: Re: URL rewriting For Session Tracking
> 
> Many thanks to Chris and David for the enlightenment.
> 
> Another question: How would one handle links embedded in static content?
> Is it simply a matter of "don't do that"?

Yeah, it's basically a "don't do that" kind of situation. If cookies
aren't being used for whatever reason, static content will certainly
trip you up.

- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFnSLf9CaO5/Lv0PARAo9FAKC4S46+6J6YKCLVBkDYnlpF9E+ovQCdE6bN
WHOKs9dEHz8SYOgBe21I6aE=
=C972
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: URL rewriting For Session Tracking

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: David Delbecq [mailto:delbd@oma.be] 
> Subject: Re: URL rewriting For Session Tracking

Many thanks to Chris and David for the enlightenment.

Another question: How would one handle links embedded in static content?
Is it simply a matter of "don't do that"?

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: URL rewriting For Session Tracking

Posted by David Delbecq <de...@oma.be>.

En l'instant précis du 01/04/07 16:04, Caldarale, Charles R s'exprimait
dans toute sa noblesse:
>> From: Christopher Schultz [mailto:chris@christopherschultz.net] 
>> Subject: Re: URL rewriting For Session Tracking
>>
>> I think you are misinterpreting the OP's question... I think 
>> he wants to /force/ the use of URL rewriting to include the
>> jsessionid. In that case, he /must/ run all his links through 
>> HttpServletResponse.encodeURL.
>>     
>
> So setting cookies="false" in the <Context> element isn't sufficient?
>   
no, setting cookies=false just disable session tracking using cookies.
Proper link to your webapplication should travel inside encodeUrl() at
some point before rendering it to outputstream. Most tag that output
urls are doing it internally (<struts:link/>, <c:url/> amongst other are
doing it)
> (Assuming a session has been created via request.getSession(true), of
> course.)  I haven't tried it, but that's the implication I got from
> reading the doc.  
Strange, reading the doc i see this " Set to false if you want to
disable the use of cookies for session identifier communication, and
rely only on URL rewriting by the application. ". That is clear, if you
set to false, you must use url rewriting in your application to track
session identifier. Setting cookies to false won't magically parse all
your pages to add session identifier. (See J2EE specifications for details)
> What does cookies="false" actually do, then?
>   
It disables use of cookies for session tracking
> To step back a little: why would it be important to use URL encoding to
> track sessions rather than do it with cookies?
>
>   
Because

1) not everyone has cookies enabled in their browser
2) in some cases it can be useful to have 2 sessions in same browser
(something you can't do with cookies)


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: URL rewriting For Session Tracking

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chuck,

Caldarale, Charles R wrote:
> So setting cookies="false" in the <Context> element isn't sufficient?

That just tells Tomcat not to use cookies to send session identification
to the browser. Yes, the alternative to cookies is the use of URL
rewriting to put the "jsessionid" into the URL, but that actually has to
be done somewhere.

> To step back a little: why would it be important to use URL encoding to
> track sessions rather than do it with cookies?

Maybe they have a "no cookies" requirement or something like that.

I personally write all my apps so that the widest audience can use them.
Cookies are not requires in any of the apps I have written in the last
few years. In order to achieve that, one must encode every URL that gets
put into a web page.

Some JSP taglibs provide this capability so you don't have to worry
about it. But, that means that every URL you emit must go through one of
those tags. I mostly use Velocity (not JSP) and there are niceties in
the Velocity-Tools package (that work with Struts, which is a bonus)
that do the same thing.

It all comes down to the same thing: you must run your URLs through
HttpServletResponse.encodeURL if you want to use URL rewriting at all.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFnRnI9CaO5/Lv0PARAtfpAJ4qW0hrjvzbXhRGg3CrF3tsMUmuLQCbBz05
5bu0ZELNsuHss9CoJQDnaJ8=
=2D9m
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: URL rewriting For Session Tracking

Posted by Mikolaj Rydzewski <mi...@ceti.pl>.

Caldarale, Charles R wrote:
> To step back a little: why would it be important to use URL encoding to
> track sessions rather than do it with cookies?
>   
Some log analyzers use such information to generate user profiles, etc.

-- 
Mikolaj Rydzewski <mi...@ceti.pl>

RE: URL rewriting For Session Tracking

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: Christopher Schultz [mailto:chris@christopherschultz.net] 
> Subject: Re: URL rewriting For Session Tracking
> 
> I think you are misinterpreting the OP's question... I think 
> he wants to /force/ the use of URL rewriting to include the
> jsessionid. In that case, he /must/ run all his links through 
> HttpServletResponse.encodeURL.

So setting cookies="false" in the <Context> element isn't sufficient?
(Assuming a session has been created via request.getSession(true), of
course.)  I haven't tried it, but that's the implication I got from
reading the doc.  What does cookies="false" actually do, then?

To step back a little: why would it be important to use URL encoding to
track sessions rather than do it with cookies?

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: URL rewriting For Session Tracking

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chuck,

Caldarale, Charles R wrote:
>> From: jobs@ultratechpartners.com [mailto:jobs@ultratechpartners.com] 
>> Subject: Re: URL rewriting For Session Tracking
>>
>> Do I have to wrap every link that I have in my webapp with an 
>> Httpservletresponse.encodeURL()?
> 
> No.  As I recall, Tomcat will not create a session automatically unless
> it's absolutely necessary (e.g., tracking authenticated users) or the
> application requests it.

I think you are misinterpreting the OP's question... I think he wants to
/force/ the use of URL rewriting to include the jsessionid. In that
case, he /must/ run all his links through HttpServletResponse.encodeURL.

- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFnQLt9CaO5/Lv0PARAvMmAJ97y7GDRY3fY9XsAH9GCKL9lGz86QCfS1CA
k7lL+g3W3pq7tQGGlCzEYIk=
=Tiss
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: URL rewriting For Session Tracking

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: jobs@ultratechpartners.com [mailto:jobs@ultratechpartners.com] 
> Subject: Re: URL rewriting For Session Tracking
> 
> Basically I have a webapp and I want to have a session
> for each user that connects to my server (just the usual
> servlet session that is created with jsessionid).  Do I
> have to wrap every link that I have in my webapp with an 
> Httpservletresponse.encodeURL()?

No.  As I recall, Tomcat will not create a session automatically unless
it's absolutely necessary (e.g., tracking authenticated users) or the
application requests it.  I'm not aware of any config parameter that
will force creation of sessions for all clients, but all you should have
to do is put the following somewhere in the request processing path of
each servlet:
        request.getSession(true);

This doesn't need to go into your servlet or JSP code - you can write a
simple filter class that does nothing but run the above code to force
the creation of a session if one doesn't already exist.  The filter
mapping can go into conf/web.xml so it will apply to all apps deployed
within your Tomcat instance, or in each appropriate webapp's web.xml
file.

Note that per the servlet spec, Tomcat will use cookies not URL
rewriting for session tracking; it will fall back to URL rewriting if
the client refuses cookies.  You can also disable use of cookies by
setting cookies="false" in your <Context> elements (or the global
conf/context.xml file).

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: URL rewriting For Session Tracking

Posted by jo...@ultratechpartners.com.

Thanks for your reply Chuck.  I've been through the whole documentation and 
it hasn't helped.  I'll try to make my question as clear as possible. 
Basically I have a webapp and I want to have a session for each user that 
connects to my server (just the usual servlet session that is created with 
jsessionid).  Do I have to wrap every link that I have in my webapp with an 
Httpservletresponse.encodeURL()?

I was expecting that there would be a configuration swich for example in 
server.xml file of Tomcat that I would switch it on, and the url rewriting 
that would include the jsessionid would be done for me, so that I don't have 
to wrap every link in my application with Httpservletresponse.encodeURL(). 
Basically, I was hoping that I don't have to touch my code and insert 
Httpservletresponse.encodeURL() for every link that I have.  But I think 
there is no such a thing, or is seen as not a good practice.

I hope this makes my question clear.



----- Original Message ----- 
From: "Caldarale, Charles R" <Ch...@unisys.com>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Wednesday, January 03, 2007 8:43 PM
Subject: RE: URL rewriting For Session Tracking


> From: jobs@ultratechpartners.com [mailto:jobs@ultratechpartners.com]
> Subject: URL rewriting For Session Tracking
>
> All I want to do is 'URL rewriting For Session Tracking'.

I have to admit that I don't really understand your question.  What do
you need to do with sessions that Tomcat doesn't already do
automatically via cookies or jsessionid?  Check the doc for the cookies
attribute of the <Context> element:
http://tomcat.apache.org/tomcat-5.5-doc/config/context.html

You also might want to take a look at Section 7 of the servlet spec:
http://jcp.org/aboutJava/communityprocess/final/jsr154/index.html

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: URL rewriting For Session Tracking

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: jobs@ultratechpartners.com [mailto:jobs@ultratechpartners.com] 
> Subject: URL rewriting For Session Tracking
> 
> All I want to do is 'URL rewriting For Session Tracking'.

I have to admit that I don't really understand your question.  What do
you need to do with sessions that Tomcat doesn't already do
automatically via cookies or jsessionid?  Check the doc for the cookies
attribute of the <Context> element:
http://tomcat.apache.org/tomcat-5.5-doc/config/context.html

You also might want to take a look at Section 7 of the servlet spec:
http://jcp.org/aboutJava/communityprocess/final/jsr154/index.html

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org