You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by lightbulb432 <ve...@hotmail.com> on 2007/06/26 21:12:36 UTC
RE: Where to find session cookies
How can I configure Tomcat to use permanent cookies as opposed to session
cookies? One of the reasons I'd like to know is to see the behavior of
method isNew() of HttpSession, which I can do if I'm able to disable
cookies. As the Javadoc for HttpSession says:
"A servlet should be able to handle cases in which the client does not
choose to join a session, such as when cookies are intentionally turned
off."
Fargusson.Alan wrote:
>
> Session cookies are not stored on disk. This is why they are more secure
> then cookies (non-session). Since they only exist in RAM (ok, maybe in
> swap files) nobody else using that machine can find them, and they go away
> when the browser ends.
>
> -----Original Message-----
> From: lightbulb432 [mailto:veerukrishnan@hotmail.com]
> Sent: Tuesday, May 29, 2007 12:15 PM
> To: users@tomcat.apache.org
> Subject: Where to find session cookies
>
>
>
> When testing my application that uses sessions, I don't seem to see a
> cookie
> with domain localhost in my browser's cookies folder. Does Tomcat use some
> internal folder to put its cookies, or am I just doing something else
> wrong?
>
> I do have cookies enabled, so it's not writing the session id to the URL,
> either.
>
> Thanks.
> --
> View this message in context:
> http://www.nabble.com/Where-to-find-session-cookies-tf3835973.html#a10860700
> Sent from the Tomcat - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Where-to-find-session-cookies-tf3835973.html#a11311838
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Where to find session cookies
Posted by Johnny Kewl <jo...@kewlstuff.co.za>.
Hi LightBulb,
I think you missing a concept somewhere...
A typically setup for a servlet that wants to use a cookie is like this
HttpSession session = request.getSession(true); //Make a
session if one does not exist
String SomeAttributeISet =
session.getAttribute("SomeAttributeISet "); //Read back your cookie stuff,
normally your Session bean
if (SomeAttributeISet == null) { //Attribute is not set, so no
cookie
//Normally you would make a new Session Bean here
} else {// got session info, so picking up the cookie
}
I never use isNew because typically the above structure tells you if the
cookie has come back or not, indirectly because your session bean or
attributes are null if no cookie.
The first time the request comes in from the browser.... there will NEVER be
a cookie session, because the browser needs a response from the servlet, to
get the cookie in the first place.
So if you setting up a form.... you must remember to set the cookie up when
you give them the page, so that when they submit it, the session is already
in place, otherwise it will only get set "after" the first response. Its not
instantaneous.... it needs one cycle.
isNew() may come in handy but you have to understand, that if you have any
security in your apps, the session will already be old.... because Tomcat
will already have made that session... so it doesnt mean much, rather just
keep an eye on the beans you set in the session.
If you look in the browser you will not see your attribute.... you will see
something like JSessionID = "GA6238468HFABB6868768687"
That is the session.... and Tomcat stores all your attributes against
that.... its just a glorified hash table, that keeps (JSessionID,
YourAttribute, Value)
To answer your question.... if you turn off cookies in your browser and you
not using urlRewriting, ie you using the above, you should see isNew all the
time.
If cookies are on in the browser, isNew will happen the first time, but not
the second time.
If security is used, isNew will always be false to you.
So.... you make a form and .. do the above... ie make your session bean, the
user fills it in and submits.
When you read it.... if your bean is then null.... you send them a message
that tells them to turn cookies on.
Its normally just about impossible to use the web today without cookies
running, so it normally enough to just tell the user to turn them on.
In the old days when some browsers couldnt do cookies.... you had to do it.
urlRewriting is very tricky and you actually need to write all the URL's in
your page with the sessionID as well, else things like menu items break, it
gets extremely messy. In general I dont use it.... just tell the user to
turn it on.
Where I do use it, and its not really just for sessions, is when I want the
user to get back to the same state, by just keeping the url, and I find url
Session reWriting is not enuf then anyway. A good example of a scheme like
that is Google.... just look at how its storing state in the url, but its
doing more than just session management.
Hope that helps....
----- Original Message -----
From: "lightbulb432" <ve...@hotmail.com>
To: <us...@tomcat.apache.org>
Sent: Tuesday, June 26, 2007 9:12 PM
Subject: RE: Where to find session cookies
>
> How can I configure Tomcat to use permanent cookies as opposed to session
> cookies? One of the reasons I'd like to know is to see the behavior of
> method isNew() of HttpSession, which I can do if I'm able to disable
> cookies. As the Javadoc for HttpSession says:
>
> "A servlet should be able to handle cases in which the client does not
> choose to join a session, such as when cookies are intentionally turned
> off."
>
>
>
> Fargusson.Alan wrote:
>>
>> Session cookies are not stored on disk. This is why they are more secure
>> then cookies (non-session). Since they only exist in RAM (ok, maybe in
>> swap files) nobody else using that machine can find them, and they go
>> away
>> when the browser ends.
>>
>> -----Original Message-----
>> From: lightbulb432 [mailto:veerukrishnan@hotmail.com]
>> Sent: Tuesday, May 29, 2007 12:15 PM
>> To: users@tomcat.apache.org
>> Subject: Where to find session cookies
>>
>>
>>
>> When testing my application that uses sessions, I don't seem to see a
>> cookie
>> with domain localhost in my browser's cookies folder. Does Tomcat use
>> some
>> internal folder to put its cookies, or am I just doing something else
>> wrong?
>>
>> I do have cookies enabled, so it's not writing the session id to the URL,
>> either.
>>
>> Thanks.
>> --
>> View this message in context:
>> http://www.nabble.com/Where-to-find-session-cookies-tf3835973.html#a10860700
>> Sent from the Tomcat - User mailing list archive at Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>
> --
> View this message in context:
> http://www.nabble.com/Where-to-find-session-cookies-tf3835973.html#a11311838
> Sent from the Tomcat - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Where to find session cookies
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> Subject: Re: Where to find session cookies
>
> > in the ops first question he was asking about session
> > timeouts... and making them last forever.
>
> I must have totally missed that.
You didn't miss anything - Johnny K made that up. The OP (lightbulb432)
started the thread with the misconception that the server, not the
client, keeps track of cookies. At no point did anyone mention infinite
session timeouts until Johnny K tried to use it to justify his "Tomcat
will run out of memory" comment.
This thread has also shown some confusion with the term "session
cookie", using it as if there were a set of cookies that Tomcat stores
in a session object (not true), rather than just a cookie with a
particular name that the browser keeps track of.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Where to find session cookies
Posted by Johnny Kewl <jo...@kewlstuff.co.za>.
Every1 is right... just that the original op was having a little difficulty
with the concept.
Need to read the whole thread to make sense of it...
----- Original Message -----
From: "Christopher Schultz" <ch...@christopherschultz.net>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Thursday, June 28, 2007 3:13 PM
Subject: Re: Where to find session cookies
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Johnny,
>
> Johnny Kewl wrote:
>> I think they actually referring to Session cookies, and making Tomcat
>> never timeout a session.
>
> TC will eventually timeout a session unless it is still in use. Just
> because the cookie has no expiration doesn't mean that the session has
> no expiration.
>
> If the session is in use, there's no sense in expiring it. If you have
> many in-use sessions and you run out of memory, then you haven't done
> your capacity planning properly.
>
>> So I think that if attributes and session beans never ever die, they
>> will eventually amass a major amount of memory...
>
> "Session beans" aren't necessarily tied to a user's session in the
> servlet API sense. If you mean "beans in the session", see above...
>
>> in the ops first question he was asking about session timeouts... and
>> making them last forever.
>
> I must have totally missed that. I'll bet there's no way to make a
> session last forever.
>
> A "don't log me out, ever" setting on a webapp usually works outside of
> the session management provided by the container, but also works with
> it. The browser sends a "keep me logged-in" cookie to the server, and if
> the user is not currently logged-in, you perform an "automatic login"
> which does not require credentials but still gives you a session.
>
> This gives the user the illusion of a session that never expires but, of
> course, the session /does/ expire so that the server doesn't explode
> with non-expiring sessions.
>
> If app servers kept sessions indefinitely, they would crash every day :(
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGg7P39CaO5/Lv0PARAiolAJ487UXXyHzyGVP4CCqFmUQ/hE9ARwCeMX5T
> hQgKjZOHiXjNIqbKHpVulaY=
> =zJiM
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Where to find session cookies
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Johnny,
Johnny Kewl wrote:
> I think they actually referring to Session cookies, and making Tomcat
> never timeout a session.
TC will eventually timeout a session unless it is still in use. Just
because the cookie has no expiration doesn't mean that the session has
no expiration.
If the session is in use, there's no sense in expiring it. If you have
many in-use sessions and you run out of memory, then you haven't done
your capacity planning properly.
> So I think that if attributes and session beans never ever die, they
> will eventually amass a major amount of memory...
"Session beans" aren't necessarily tied to a user's session in the
servlet API sense. If you mean "beans in the session", see above...
> in the ops first question he was asking about session timeouts... and
> making them last forever.
I must have totally missed that. I'll bet there's no way to make a
session last forever.
A "don't log me out, ever" setting on a webapp usually works outside of
the session management provided by the container, but also works with
it. The browser sends a "keep me logged-in" cookie to the server, and if
the user is not currently logged-in, you perform an "automatic login"
which does not require credentials but still gives you a session.
This gives the user the illusion of a session that never expires but, of
course, the session /does/ expire so that the server doesn't explode
with non-expiring sessions.
If app servers kept sessions indefinitely, they would crash every day :(
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGg7P39CaO5/Lv0PARAiolAJ487UXXyHzyGVP4CCqFmUQ/hE9ARwCeMX5T
hQgKjZOHiXjNIqbKHpVulaY=
=zJiM
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat and Webdav - [Fatal Error] :-1:-1: Premature end of file
Posted by Mark Thomas <ma...@apache.org>.
Katilie, John wrote:
> All, I'm not sure if I should post this question to the Tomcat or
> Commons List server so please let me know if posting it to Tomcat is
> Incorrect.
This is the right place.
> Anyways, I am running Tomcat 5.5.23 and a Standalone Java application
> using Common HttpClient to access Webdav resources under Tomcat. When I
> updated the client side commons-HttpClient.jar from 2.0 to 3.x I get an
> error under Tomcat indicating: [Fatal Error] :-1:-1: Premature end of
> file.
This is a bug. Tomcat tries to parse the request content for some WebDAV
requests regardless of whether or not there is any content to parse.
I have a fix and will apply it shortly. It will be in the next 4.1.x,
5.5.x and 6.0.x releases.
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat and Webdav - [Fatal Error] :-1:-1: Premature end of file
Posted by Martin Gainty <mg...@hotmail.com>.
seems to be an encoding/decoding issue where IE stores filenames as UTF-8
and tomcat references using ISO-8859-1
fileName = URLEncoder.encode("manual.pdf", "UTF-8");
http://mail-archives.apache.org/mod_mbox/tomcat-users/200504.mbox/%3C01LMZ3HNUHD6009V6M@fresno.net.uniovi.es%3E
M--
This email message and any files transmitted with it contain confidential
information intended only for the person(s) to whom this email message is
addressed. If you have received this email message in error, please notify
the sender immediately by telephone or email and destroy the original
message without making a copy. Thank you.
----- Original Message -----
From: "Katilie, John" <Jo...@softwareagusa.com>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Wednesday, June 27, 2007 4:14 PM
Subject: Tomcat and Webdav - [Fatal Error] :-1:-1: Premature end of file
All, I'm not sure if I should post this question to the Tomcat or
Commons List server so please let me know if posting it to Tomcat is
Incorrect.
Anyways, I am running Tomcat 5.5.23 and a Standalone Java application
using Common HttpClient to access Webdav resources under Tomcat. When I
updated the client side commons-HttpClient.jar from 2.0 to 3.x I get an
error under Tomcat indicating: [Fatal Error] :-1:-1: Premature end of
file.
This message occurs even though everything seems to work. It occurs on
my 1st webdavResource instantiation:
httpURL = new HttpURL(uri);
webdavResource = new WebdavResource(httpURL);
and it seems to occur on each WebdavResource.setPath() request..
Any and all comments are appreciated.
Regards, John Katilie
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Tomcat and Webdav - [Fatal Error] :-1:-1: Premature end of file
Posted by "Katilie, John" <Jo...@softwareagusa.com>.
All, I'm not sure if I should post this question to the Tomcat or
Commons List server so please let me know if posting it to Tomcat is
Incorrect.
Anyways, I am running Tomcat 5.5.23 and a Standalone Java application
using Common HttpClient to access Webdav resources under Tomcat. When I
updated the client side commons-HttpClient.jar from 2.0 to 3.x I get an
error under Tomcat indicating: [Fatal Error] :-1:-1: Premature end of
file.
This message occurs even though everything seems to work. It occurs on
my 1st webdavResource instantiation:
httpURL = new HttpURL(uri);
webdavResource = new WebdavResource(httpURL);
and it seems to occur on each WebdavResource.setPath() request..
Any and all comments are appreciated.
Regards, John Katilie
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Where to find session cookies
Posted by Johnny Kewl <jo...@kewlstuff.co.za>.
----- Original Message -----
From: "Caldarale, Charles R" <Ch...@unisys.com>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Wednesday, June 27, 2007 8:53 PM
Subject: RE: Where to find session cookies
> From: Johnny Kewl [mailto:john@kewlstuff.co.za]
> Subject: Re: Where to find session cookies
>
> True, although I dont know how to make Tomcat do that, nor do
> I think it should be done, they must expire, or else with time
> his Tomcat will run out of memory.
???
Why do you think Tomcat will run out of memory? Cookies are inserted
into responses, maintained by the client and returned on subsequent
requests. Unless a webapp is keeping track of them for some esoteric
reason, there's no memory consumed once a request has been processed and
the response sent.
---
I think they actually referring to Session cookies, and making Tomcat never
timeout a session.
So I think that if attributes and session beans never ever die, they will
eventually amass a major amount of memory.... in the ops first question he
was asking about session timeouts... and making them last forever.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Where to find session cookies
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Johnny Kewl [mailto:john@kewlstuff.co.za]
> Subject: Re: Where to find session cookies
>
> True, although I dont know how to make Tomcat do that, nor do
> I think it should be done, they must expire, or else with time
> his Tomcat will run out of memory.
???
Why do you think Tomcat will run out of memory? Cookies are inserted
into responses, maintained by the client and returned on subsequent
requests. Unless a webapp is keeping track of them for some esoteric
reason, there's no memory consumed once a request has been processed and
the response sent.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Where to find session cookies
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Johnny,
Johnny Kewl wrote:
> True, although I dont know how to make Tomcat do that
Do what?
> nor do I think it should be done, they must expire, or else with time
> his Tomcat will run out of memory.
What are you talking about? Tomcat doesn't store cookies AFAIK. It just
sends them to the browser, and the browser is responsible for sending
them back when requests are made.
Why would TC run out of memory handling cookies?
If the cookie has no expiration date, then the browser will not save it
beyond the current session.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGg7JP9CaO5/Lv0PARAhhvAJ9l7HfOchLvwCdRNtho6jkPgK267gCfYB5n
iKPnatZgk3BHukef6w9jdZU=
=vblU
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Where to find session cookies
Posted by Johnny Kewl <jo...@kewlstuff.co.za>.
True, although I dont know how to make Tomcat do that, nor do I think it
should be done, they must expire, or else with time his Tomcat will run out
of memory.
----- Original Message -----
From: "Nelson, Tracy M." <Tr...@nelnet.net>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Wednesday, June 27, 2007 7:21 PM
Subject: RE: Where to find session cookies
| From: lightbulb432 [mailto:veerukrishnan@hotmail.com]
| Sent: Tuesday, 26 June, 2007 14:13
|
| How can I configure Tomcat to use permanent cookies as opposed to
session
| cookies? One of the reasons I'd like to know is to see the behavior of
| method isNew() of HttpSession, which I can do if I'm able to disable
| cookies. As the Javadoc for HttpSession says:
|
| "A servlet should be able to handle cases in which the client does not
| choose to join a session, such as when cookies are intentionally
turned
| off."
I think the only thing that differentiates between session and
persistent cookies is the presence of an expiration date. No date ==
session cookie, future date == persistent cookie.
To check the behavior you're curious about, why not just disable cookies
in your browser? ISTR that TC then just sets the session ID explicitly
in the query string of the URL.
-----------------------------------------
------------------------------------------------------------
The information contained in this message is confidential
proprietary property of Nelnet, Inc. and its affiliated
companies (Nelnet) and is intended for the recipient only.
Any reproduction, forwarding, or copying without the express
permission of Nelnet is strictly prohibited. If you have
received this communication in error, please notify us
immediately by replying to this e-mail.
------------------------------------------------------------
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Where to find session cookies
Posted by "Nelson, Tracy M." <Tr...@nelnet.net>.
| From: lightbulb432 [mailto:veerukrishnan@hotmail.com]
| Sent: Tuesday, 26 June, 2007 14:13
|
| How can I configure Tomcat to use permanent cookies as opposed to
session
| cookies? One of the reasons I'd like to know is to see the behavior of
| method isNew() of HttpSession, which I can do if I'm able to disable
| cookies. As the Javadoc for HttpSession says:
|
| "A servlet should be able to handle cases in which the client does not
| choose to join a session, such as when cookies are intentionally
turned
| off."
I think the only thing that differentiates between session and
persistent cookies is the presence of an expiration date. No date ==
session cookie, future date == persistent cookie.
To check the behavior you're curious about, why not just disable cookies
in your browser? ISTR that TC then just sets the session ID explicitly
in the query string of the URL.
-----------------------------------------
------------------------------------------------------------
The information contained in this message is confidential
proprietary property of Nelnet, Inc. and its affiliated
companies (Nelnet) and is intended for the recipient only.
Any reproduction, forwarding, or copying without the express
permission of Nelnet is strictly prohibited. If you have
received this communication in error, please notify us
immediately by replying to this e-mail.
------------------------------------------------------------
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Where to find session cookies
Posted by "Fargusson.Alan" <Al...@ftb.ca.gov>.
It is up the servlet. As far as I know Tomcat cannot change this.
As to how you get the servlet to use one or the other: I do not know enough about WEB programming to tell you.
-----Original Message-----
From: lightbulb432 [mailto:veerukrishnan@hotmail.com]
Sent: Tuesday, June 26, 2007 12:13 PM
To: users@tomcat.apache.org
Subject: RE: Where to find session cookies
How can I configure Tomcat to use permanent cookies as opposed to session
cookies? One of the reasons I'd like to know is to see the behavior of
method isNew() of HttpSession, which I can do if I'm able to disable
cookies. As the Javadoc for HttpSession says:
"A servlet should be able to handle cases in which the client does not
choose to join a session, such as when cookies are intentionally turned
off."
Fargusson.Alan wrote:
>
> Session cookies are not stored on disk. This is why they are more secure
> then cookies (non-session). Since they only exist in RAM (ok, maybe in
> swap files) nobody else using that machine can find them, and they go away
> when the browser ends.
>
> -----Original Message-----
> From: lightbulb432 [mailto:veerukrishnan@hotmail.com]
> Sent: Tuesday, May 29, 2007 12:15 PM
> To: users@tomcat.apache.org
> Subject: Where to find session cookies
>
>
>
> When testing my application that uses sessions, I don't seem to see a
> cookie
> with domain localhost in my browser's cookies folder. Does Tomcat use some
> internal folder to put its cookies, or am I just doing something else
> wrong?
>
> I do have cookies enabled, so it's not writing the session id to the URL,
> either.
>
> Thanks.
> --
> View this message in context:
> http://www.nabble.com/Where-to-find-session-cookies-tf3835973.html#a10860700
> Sent from the Tomcat - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Where-to-find-session-cookies-tf3835973.html#a11311838
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org