servlet session, cookie

Hi,

I was reading as below
Session Id


When a client is interacting the server  id is generated  by the server.
(is the above one is session id ???)
 Request from the server passes to WebServer.
(how server is different from webserver)
WebServer pass these request to the  given Servlet.


Request object sent to the Server creates the instance of the servlet.
This happens in the init() method
(How init method creates instance of servlet as init is part of the servlet method right?If there is no init() method in the servlet then servlet instance cannot be created?)



Servlet creates Session Objects on the Server.

             

Particular session is having unique id.
The generated  id is passed  to the client using the response Object.
(is the above one is also session id ???)
It  is added to the Cookie in the given browser.Every browser is having differrent Cookie.
So each browser is having differrent Session id.
(if 2 users use same broswer how to to distinguish. Is the every browser has different cookie? or every user has different cookie/sesssion id??)

I was not very clear on whole process and how session id and cookies are related to individual user, browser?

Please advise.

Any links resources ideas highly appreciated. Thanks in advance
LVL 7
gudii9Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

girionisCommented:
The session id is created on the server, when the user first issues a request. Then it is sent back from the server to the client (for example the browser) with the response. The browser then sends it to the server on every subsequent request, in order for the server to be able to identify that the user is the same. The session can be send back to the server either as a cookie or as part of the GET request (URL rewriting), especially if cookies are disabled.

The init() method of the servlet is called only once, during servlet initialisation. If the init method throws an exception or does not complete successfully then the servlet cannot receive any requests.
0
Michel PlungjanIT ExpertCommented:
Did you sit down and read a basic book or read a proper tutorial?
It seems you have questions about every single aspect of JAVA and fire off questions that are readily answered by basic JAVA tutorials.

To answer some of your questions here

Yes it is a session cookie and it is computer and browser based, meaning that the same browser on the same computer will send the same session cookie to the server

If you open another browser (e.g. IE instead of Firefox) you will get another session, but if you open a new window in the same browser you will share the session and may confuse whatever you have in the other window.

I think there was a typo in the text you are reading (please quote the source so we can verify the quality, for example w3schools is a very poor resource) - the CLIENT sends the cookie to the webserver, the webserver forwards the session to the container/application
0
gudii9Author Commented:
>> Then it is sent back from the server to the client (for example the browser) with the response

how to send the session id with response? who will do it and how?

>>>The session can be send back to the server either as a cookie or as part of the GET request (URL rewriting), especially if cookies are disabled.



Who will distinguish which approach either cookie or URL Rewriting?


>>>but if you open a new window in the same browser you will share the session and may confuse whatever you have in the other window.




If I open two new windows of same browser and me and my friend logged in from each window of same browser of the same computer how that situation is handled. Is it is separate session in that case?

Please advise


>>> If the init method throws an exception or does not complete successfully then the servlet cannot receive any requests


In this case servlet instance is created or not? If there is no init method overridden in servlet it gets from super class right??
0
C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

Michel PlungjanIT ExpertCommented:
If the same browser has two windows open, the same session cookie is sent back. If the browser does not accept cookies, and url rewriting is turned on, the jsession attribute is added to the url

About the init, I do not know. I only wanted to give you some idea of session cookies. Look the other stuff up in the reference for your container
0
girionisCommented:
In this case servlet instance is created or not?
Created but not initialised. If it's not initialised you cannot use it.

If there is no init method overridden in servlet it gets from super class right??
Yes.
0
gudii9Author Commented:
>>>If the same browser has two windows open, the same session cookie is sent back. If the browser does not accept cookies, and url rewriting is turned on, the jsession attribute is added to the url

But i have weird special case here where  two different users logged in from two different tabs of the same laptop, same browser. I wonder how Maintaining same session for two separate users is a good approach.


>>Created but not initialised. If it's not initialised you cannot use it.




what is the use or point of servlet being created but cannot use it. I wonder why they allow it this way instead if servlet will not be created that is better right? please advise
0
mccarlIT Business Systems Analyst / Software DeveloperCommented:
But i have weird special case here where  two different users logged in from two different tabs of the same laptop, same browser. I wonder how Maintaining same session for two separate users is a good approach.
To clarify this point, if sessions are being tracked by session cookies, then NO this case can't be handled, ie. the first user would get logged out when the second user logs in on the other tab. However, if URL rewriting is used then the two logged in users could co-exist ok because the two sessions are identified by two different session ids that are part of the URL which CAN be different on the two tabs.

However, note that generally the server (and you, as the person implementing the server side code) chooses which session tracking option to use based on all the factors and it is NOT up to the client side to choose which method to use. Generally, the ability to be logged in as different accounts on different tabs is NOT a consideration that gets a high importance.


what is the use or point of servlet being created but cannot use it. I wonder why they allow it this way instead if servlet will not be created that is better right? please advise
There isn't any "use" of it, but it is just how Java works. All that we are saying here is that in order to be able to call the "init" method, which is an instance method (ie. it is NOT a static method), the Servlet framework needs to have created an instance of the Class that implements your servlet. So even if this "init" method fails, the object was still created.

And anyway, in this case it is highly likely that the servlet framework would NOT keep a reference to this "failed initialisation" servlet object and it would just get Garbage Collected anyway.

You really don't need to worry about any of this anyway, just know that these things happen. An object of your servlet class will be instantiated (at this point the appropriate constructor in your servlet class will execute), then the servlet framework will call "init" method on this newly created servlet object, if it returns successfully from init then it is ready for the servlet framework to call the doXXX methods when requests come in, otherwise the servlet framework does NOT do anything else with the object. Does that make it clearer?
0
gudii9Author Commented:
>>>However, if URL rewriting is used then the two logged in users could co-exist ok because the two sessions are identified by two different session ids that are part of the URL which CAN be different on the two tabs.



Above seems to be bit unsecure way if we allow like this. I think as you explained session cookies seems to me more secure approach
0
mccarlIT Business Systems Analyst / Software DeveloperCommented:
Above seems to be bit unsecure way if we allow like this. I think as you explained session cookies seems to me more secure approach
As explained in one of your other questions, yes, this using the URL rewriting method does have some disadvantages in terms of security, although all the method have issues (if not using SSL/TLS, ie. https) as the session id is transmitted as clear text over the wire, so that if anyone is able to "sniff" the traffic, then it doesn't matter which method is used, the session security can be comprimised. Only just that the URL rewriting method exposes the session id in the browser bar, so that it can be read by someone nearby, stored as the value of a link or sent to another site via the referrer header.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Java EE

From novice to tech pro — start learning today.