3

As per my understanding same session is shared among different tabs of same browser window. And for different browser window , different session is created. Now some questions on my understanding:-

1)When i hit my web application in two different browser window, i see same jsession id on firefox console. How same session session is shared among two different browser window. As by default session is maintained through cookies with the help of jsessionId which is created by webserver. Other way of maintaining the session thru URLRewriting where we maintain session by passing jsessionId in each url request. I can see using org.tuckey.web.filters.urlrewrite.UrlRewriteFilter in project but this class document does not seem to do any magic much session maintenance. I am not getting how come same session is attached with two different browser window and techinical approach to do it

2)similary when i hit two different application under two different tabs of same browser window probably google and some other website say yahoo, i dont see same jsessionId in firefox console for these two website. Is the website doing some special stuff here to generate new session for each Tab? In fact for some website(probably for google) i do not see jsessionId at all under firefox window. How its possible. My understanding it is generated automatically by webserver and is passed either by cookies or URLReWriting?

It would be helpful if somebody can answer inline to my question as its important to understand each point posted here for session management

UPDATE:- Let me put my questions with different scenarios:-

1)Hit two different URL(say google.com and stackoverflow.com) in two different tab of same browser window.

My Understanding:- Two session will be created as two cookies will be created for two different domain/port

2)Hit two same URL(say stackoverflow.com) in two different tab of same browser window.

My Understanding:- Onesession will be created as same cookies will be reused

3)Hit two same URL(say stackoverflow.com) in two totally different window of browser (firefox).

My Understanding:- how many session will be created in this case?

4

2 回答 2

4

Your first assumption is not correct. If you use session management with cookies (default for Java servlet containers) then your session is visible in all windows of the same browser instance.

If you configure your Java servlet server to use URL rewrite only for sessions, then you can have one session per tab.

Usually two different Java web applications will always create two different session cookies only valid for its own application scope. The cookies are bound to the domain and path.

Other web frameworks like PHP can handle this totally different.

于 2013-04-23T15:15:39.493 回答
1

The cookie jsession_id is created by the server, which sends it to the browser in return for a request through a HTTP header Set-Cookie . The cookie is stored on the client by the browser. Henceforth, the browser will resend that cookie for every subsequent request on the same domain (the cookie can be restrained with secure and path https://en.wikipedia.org/wiki/HTTP_cookie#Terminology but it is irrelevant here).

The browser has access to that cookie from all tabs (basic rights and security) and it is a design choice if it separates sessions (same cookies on all tabs) or merges them (same cookies on all tabs, therefore same session on all tabs within the same domain). As far as I know, all browsers choose to share cookies on tabs but I am no expert.

So in order to maintain session on multiple instances of the same java program, you need to do the same and store your jsession_id cookie (and reuse it if relevant) outside of the memory of each instance (for example on file). This might not be trivial if security is important.

As to point 2, it is important to understand that even though both cookies are jsession_id, they are related to different domains (and have been set by each server) so there is no reason for them to be equal.

于 2013-04-23T15:28:39.947 回答