Issue
I'm reading from "Head First JSP And Servlets" about the HttpSession.isNew() method. There is a strange behavior I am not able to understand.
Here is some sample code.
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
public class TestSessionServlet extends HttpServlet {
@Override
protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse)
throws ServletException, IOException {
doPost(httpServletRequest,httpServletResponse);
}
@Override
protected void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse)
throws ServletException, IOException {
httpServletResponse.setContentType("text/html");
PrintWriter out = httpServletResponse.getWriter();
HttpSession session = httpServletRequest.getSession();
if(session.isNew()){
out.println("this is a new session");
} else{
out.println("Welcome Back Ben:");
}
}
}
Now, when I deploy the application in Tomcat and hit the servlet for the first time, rather than going to the if block, it goes to the else block. When I hit the same servlet from another browser for the first time, it goes to the if block.
When the application has just started and I have hit the servlet for the first time, shouldn't it go to the if block rather than the else? Can someone elaborate on this?
Solution
Clear the browser's cookies before accessing your servlet (CTRL+SHIFT+DEL on most browsers). The session should be new on the first access after you clear the cookies.
The idea is this. HTTP is a stateless protocol which means that each request is unrelated to any previous requests. This works fine for things like websites who just serve pages to whomever requests them but poses a problem for a web application who needs to track complex interactions with different users.
The session is a means of storing data to retain information about the user's interaction with the application. But how does the server know which request belongs to what user since HTTP is stateless and requests are all the same for the server?
In a stateless protocol, the request must contain all data necessary for the server to process that request. This also includes client cookies if any. The cookies contain an identification token known as a "Session ID" (in Java is a JSESSIONID).
You get a "Session ID" with the following flow of execution (the flow is a little bit more complicated as it needs to account for expired sessions or browsers that have cookies disabled but this is the general idea):
- browser makes the first request ever to the application. No cookies are present at this time on client side so no cookie is sent with the request;
- application looks for the "Session ID" in the request. None is found so the application knows this is a request from a new client. Application creates a new session and generates a "Session ID" to identify this session;
- application responds to the client and includes the "Session ID" inside a cookie in the response;
- browser makes another request to the application. Cookies are present at this time and browser sends them back to the application;
- application looks for the "Session ID" in the request. This time it is found so the server knows this is a request from an old client and looks up an existing session based on the value inside the "Session ID".
This is why the application displays the correct message when you access your servlet with a new browser and why it displays the wrong message if you use another one. The other browser probably has cookies from previous requests you made to the application.
A server restart doesn't always mean that sessions are destroyed. Tomcat serializes/deserializes sessions in between restarts so sessions you think might no longer exist might still be live on the server and get associated to existing cookies. Clearing your browser's cookie means a fresh request with no session information inside it.
Answered By - Bogdan
