3

We have SecurityFilter class in our application by implementing Filter and our doFilter method looks like this.

public void doFilter(ServletRequest sres, ServletResponse sreq,
            FilterChain chain) throws IOException, ServletException {

        LOGGER.debug(Logger.buildLogMessage("Starting SecurityFilter.doFilter"));
        HttpServletRequest request = (HttpServletRequest) sres;
        HttpServletResponse response = (HttpServletResponse) sreq;

        HttpSession session = request.getSession();

We have the following entry in our web.xml

<filter>
        <filter-name>SecurityFilter</filter-name>
        <filter-class>com.a.b.c.web.filter.SecurityFilter</filter-class>
</filter>

<filter-mapping>
        <filter-name>SecurityFilter</filter-name>
        <url-pattern>/resources/*</url-pattern>
</filter-mapping>

We have many REST calls to our application and all of them pass through this filter. The Java API documentation says, the request.getSession() returns a session if exists else it creates a new session. But in our application the request.getSession() always creates a new session for every REST call. What could be going wrong here ?

Veera
  • 65
  • 1
  • 7
  • 2
    Start with the client and make sure it is sending a JSESSIONID cookie. – Ted Bigham Apr 11 '14 at 08:39
  • If the client doesn't send the session cookie as part of its requests, the server has no way to know which session the request belongs to, and it thus recreates one. – JB Nizet Apr 11 '14 at 08:39
  • By maintaining session you are violating one of the basic constraints of REST architecture – Anirudha Apr 11 '14 at 08:45
  • 3
    @Anirudha that's not true. The connection is stateless, not the session. – Ted Bigham Apr 11 '14 at 08:47
  • Sniff the request/response to see if the cookie is there for subsequent calls, like @Ted proposed. – Leos Literak Apr 11 '14 at 10:24
  • @TedBigham The REST API consumer is a python script which polls(every 15m) from a different system. How to maintain a JSESSIONID cookie in this case ? – Veera Apr 11 '14 at 12:04
  • 1
    The python script would have to maintain state between invocations. So this is really looking like a python question as opposed to a java one. Fun. http://stackoverflow.com/questions/923296/keeping-a-session-in-python-while-making-http-requests – Ted Bigham Apr 11 '14 at 19:40

1 Answers1

0

If your application settings are set to track JSESSIONID via cookie, the application will return the same session if you're making a request from the same browser, and a new session if you're making a request from a different browser. This is obviously because cookies live on a per-browser basis.

Matt
  • 23,363
  • 39
  • 111
  • 152
Kalepu Harish
  • 11
  • 2