You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Benjamin,
,
benja.be,
,
be...@benja.be on 2002/05/20 17:34:43 UTC
Implementation of the sessions
Hello guys,
Im currently writing a thesis about JSP/Java, etc
in an e-Learning
application.
I need to know how the sessions (HttpSession) are managed in Tomcat.
I read it can be URL rewriting or cookies (on the java.sun web site),
but I block the cookies and there are no cookies on my disk.
So I suppose its URL rewriting, but I dont see some variables
transmitted
like page.jsp?SESSION_INFO=
Or maybe they are invisible. Like in the POST method of a form.
I searched everywhere on the web, tried to understand the source codes
of Tomcat, exchanged messages in the Tomcat mailing-list.
I cant find the answer
.
You are my last chance, please HELP ME.
It would be extremely nice from you
Thank you,
Benja.
PS : Sorry for my bad english
Re: Implementation of the sessions
Posted by Rolf Veen <ro...@helide.com>.
Benjamin Fonzé [benja.be] wrote:
> What is that mechanism ?
See http://www.mozilla.org/projects/security/pki/nss/ssl/
for links to SSL and TLS specs and other related
information.
For sessions thru cookies, see RFC-2965 (at rfc-editor.org,
for example).
Regards.
Rolf.
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Implementation of the sessions
Posted by Benjamin,
,
benja.be,
,
be...@benja.be.
Thank you for your help Bojan and Rolf.
I'll try to understand all that :)
Benja.
-----Original Message-----
From: Bojan Smojver [mailto:bojan@rexursive.com]
Sent: mardi 21 mai 2002 9:46
To: Tomcat Dev List
Subject: RE: Implementation of the sessions
On Tue, 2002-05-21 at 17:32, Benjamin Fonzé [benja.be] wrote:
> What is that mechanism ?
SSL establishes a session before HTTP protocol gets on top of it (i.e.
SSL is a transport layer). Once that happens, the container (Tomcat)
might have access to the SSL Session ID (I know that part to be true if
you use Apache + mod_ssl + mod_jk) and then use it as its own session
ID. To my knowledge, that's not the case with 3.3.x series (wouldn't
have a clue about 4.x). However you can check Tomcat session ID against
the SSL session ID in 3.3.x.
I think I read somewhere (and SSL people please correct me) that SSL
session ID's can be swapped during the session at any time (this is by
design), so the above checking might create problems if that happens. In
practice it usually ends up being fine, but in theory I think it's not
entirely correct thing to do.
Bojan
--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Implementation of the sessions
Posted by Bojan Smojver <bo...@rexursive.com>.
On Tue, 2002-05-21 at 17:32, Benjamin Fonzé [benja.be] wrote:
> What is that mechanism ?
SSL establishes a session before HTTP protocol gets on top of it (i.e.
SSL is a transport layer). Once that happens, the container (Tomcat)
might have access to the SSL Session ID (I know that part to be true if
you use Apache + mod_ssl + mod_jk) and then use it as its own session
ID. To my knowledge, that's not the case with 3.3.x series (wouldn't
have a clue about 4.x). However you can check Tomcat session ID against
the SSL session ID in 3.3.x.
I think I read somewhere (and SSL people please correct me) that SSL
session ID's can be swapped during the session at any time (this is by
design), so the above checking might create problems if that happens. In
practice it usually ends up being fine, but in theory I think it's not
entirely correct thing to do.
Bojan
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Implementation of the sessions
Posted by Benjamin,
,
benja.be,
,
be...@benja.be.
Thanks a lot for your answer.
I read these documents.
But there are not a lot of details.
I use session with SSL, and all I can obtain is :
-----
"SRV.7.1.2 SSL Sessions
Secure Sockets Layer, the encryption technology used in the HTTPS
protocol, has a
mechanism built into it allowing multiple requests from a client to be
unambiguously identified as being part of a session. A servlet container
can easily
use this data to define a session."
-----
What is that mechanism ?
Benja.
-----Original Message-----
From: Bojan Smojver [mailto:bojan@rexursive.com]
Sent: mardi 21 mai 2002 2:01
To: Tomcat Dev List
Subject: Re: Implementation of the sessions
On Tue, 2002-05-21 at 01:34, Benjamin Fonzé [benja.be] wrote:
> So I suppose its URL rewriting, but I dont see some variables
> transmitted
like page.jsp?SESSION_INFO=
It's called 'jsessionid' and it gets there by explicit encoding of the
URL. You should check the Java Servlet Specification, which is a public
document available from Sun and Java Servlet API documentation (also
available from Sun), which explains how it's actually used.
Bojan
--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Implementation of the sessions
Posted by Bojan Smojver <bo...@rexursive.com>.
On Tue, 2002-05-21 at 01:34, Benjamin Fonzé [benja.be] wrote:
> So I suppose its URL rewriting, but I dont see some variables
> transmitted
like page.jsp?SESSION_INFO=
It's called 'jsessionid' and it gets there by explicit encoding of the
URL. You should check the Java Servlet Specification, which is a public
document available from Sun and Java Servlet API documentation (also
available from Sun), which explains how it's actually used.
Bojan
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>