JBossWeb/Tomcat HTTP Session Implementation Details

From NovaOrdis Knowledge Base
Jump to navigation Jump to search

Internal

Relevance

  • JBoss AS 5.1.2

Lifecycle

  • Each Request maintains a direct reference to the active Session instance for that request; it can be null.
  • The repository of sessions for a specific application (context) is the StandardManager} referred to from the StandardContext via the manager reference.
  • Sessions are not created automatically by the Tomcat machinery, unless we invoke HttpServletRequest.getSession() (which is equivalent with HttpServletRequest.getSession(true)) or org.apache.catalina.connector.Request.getSessionInternal().
  • When HttpServletRequest.getSession() is invoked, the following happen:
    • The Manager instance is obtained from the StandardContext associated with the request.
    • Manager.findSession(sessionId) is messaged on the Manager instance.
    • The Session is looked up in the sessions map by its session ID. If found, it is returned.
    • If no session is found, and org.apache.catalina.connector.Request.SESSION_ID_CHECK is true, the request tries to find the session with the ID equals to requestedSessionId among the Host's children.
    • If no session is found, the Manager instance is messaged to createSession(sessionId).
    • Once the session is created by the manager (and its id generated), the request then sets a "session" cookie on Response "Set-Cookie" "JSESSIONID=FFB6...56; Path=/mycontext". The internal implementation of the cookie is TomcatCookie.

SessionID Generation

SessionID is generated by ManagerBase.generateSessionId().

Session Counter

Maintained by the sessionCounter variable of the StandardManager instance of the web application.