I have a web application running under Tomcat which uses the HttpSession object to track users' sessions. The application is made up of some static HTML pages (for example, a frameset which contains a navigation menu) and servlets - not JSPs.
In my login servlet I use:
HttpSession s = request.getSession(true);
to establish the session and store some values such as UserID.
In other servlets, I use:
HttpSession s = request.getSession(false);
then I check if (s == null) which would mean there is no session, which means the user is not logged in. If (s != null) I check some attributes of the session and proceed from there.
I have run into a problem where if the user does not have cookies enabled, the sessions are not being tracked, and therefore my "other" servlets think a user is not logged in, when in fact they have successfully logged in. When cookies are enabled, everything is working properly.
My question is this:
If a user does not have cookies enabled, should the HttpSession object *automatically* use URL rewriting? Is this something that I must set or configure in server.xml or web.xml?
If this functionality is not automatic (it doesn't seem to be, at least not the way Tomcat is configured now), how can I use the HttpSession object to track sessions without using cookies?
Thanks in advance for your assistance.