290

When / what are the conditions when a JSESSIONID is created?

Is it per a domain? For instance, if I have a Tomcat app server, and I deploy multiple web applications, will a different JSESSIONID be created per context (web application), or is it shared across web applications as long as they are the same domain?

johnm
  • 7,316
  • 1
  • 20
  • 33
joshjdevl
  • 6,652
  • 12
  • 43
  • 57

5 Answers5

343

JSESSIONID cookie is created/sent when session is created. Session is created when your code calls request.getSession() or request.getSession(true) for the first time. If you just want to get the session, but not create it if it doesn't exist, use request.getSession(false) -- this will return you a session or null. In this case, new session is not created, and JSESSIONID cookie is not sent. (This also means that session isn't necessarily created on first request... you and your code are in control when the session is created)

Sessions are per-context:

SRV.7.3 Session Scope

HttpSession objects must be scoped at the application (or servlet context) level. The underlying mechanism, such as the cookie used to establish the session, can be the same for different contexts, but the object referenced, including the attributes in that object, must never be shared between contexts by the container.

(Servlet 2.4 specification)

Update: Every call to JSP page implicitly creates a new session if there is no session yet. This can be turned off with the session='false' page directive, in which case session variable is not available on JSP page at all.

Laurel
  • 5,522
  • 11
  • 26
  • 49
Peter Štibraný
  • 31,128
  • 15
  • 85
  • 114
  • 2
    cant a session be created w/o an explicit call to getSession? in regards to "must never be shared between contexts by the container", websphere has an option to share sessions, which is the motivation for the question :) – joshjdevl Mar 03 '09 at 01:49
  • Not if you use just Servlet API. There may be server-specific extensions (like Websphere's session sharing as you point out) though. – Peter Štibraný Mar 03 '09 at 15:39
  • I believe your context.xml file can control the automatic session creation if your tag contains a cookies attribute, e.g. – B T Jan 18 '12 at 22:25
  • Right now im getting many hits on my filter to create session and seems like its only after the second hit (not a second page refresh) its being created, this called my attention " session isn't necessarily created on first request.." is it related? could you give an example why this is not necessarily created at first request? Thanks! – jpganz18 May 29 '17 at 20:32
  • @jpganz18: If you simply call `request.getSession()` or `request.getSession(true)`, then you get either existing or new session. However if your code calls `request.getSession(false)`, then you get either existing session or null, if no session exists. – Peter Štibraný Jun 10 '17 at 11:16
  • 1) `HttpSession` objects must be scoped at the application level. 2) session object is created for every browser connection to tomcat. Am unable to relate these two points. – overexchange Dec 26 '17 at 05:15
51

Here is some information about one more source of the JSESSIONID cookie:

I was just debugging some Java code that runs on a tomcat server. I was not calling request.getSession() explicitly anywhere in my code but I noticed that a JSESSIONID cookie was still being set.

I finally took a look at the generated Java code corresponding to a JSP in the work directory under Tomcat.

It appears that, whether you like it or not, if you invoke a JSP from a servlet, JSESSIONID will get created!

Added: I just found that by adding the following JSP directive:

<%@ page session="false" %>

you can disable the setting of JSESSIONID by a JSP.

YCF_L
  • 49,027
  • 13
  • 75
  • 115
Rangachari Anand
  • 882
  • 7
  • 10
  • 3
    In other words: the default value for the page session attribute is "true". Which might be unexpected in some (many?) cases. – David Balažic Sep 10 '15 at 20:33
  • I'm also on tomcat, and I do not use jsp at all, but the session cookie is created anyway. Any idea how to prevent it in this situation? – ClassyPimp Nov 19 '17 at 07:05
24

CORRECTION: Please vote for Peter Štibraný's answer - it is more correct and complete!

A "JSESSIONID" is the unique id of the http session - see the javadoc here. There, you'll find the following sentence

Session information is scoped only to the current web application (ServletContext), so information stored in one context will not be directly visible in another.

So when you first hit a site, a new session is created and bound to the SevletContext. If you deploy multiple applications, the session is not shared.

You can also invalidate the current session and therefore create a new one. e.g. when switching from http to https (after login), it is a very good idea, to create a new session.

Hope, this answers your question.

zb226
  • 7,475
  • 4
  • 37
  • 64
Mo.
  • 14,027
  • 13
  • 42
  • 57
8

Beware if your page is including other .jsp or .jspf (fragment)! If you don't set 

<%@ page session="false" %>

on them as well, the parent page will end up starting a new session and setting the JSESSIONID cookie.

For .jspf pages in particular, this happens if you configured your web.xml with such a snippet:

<jsp-config>
    <jsp-property-group>
        <url-pattern>*.jspf</url-pattern>
    </jsp-property-group>
</jsp-config>

in order to enable scriptlets inside them.

polaretto
  • 715
  • 9
  • 11
  • Do you mean set page session=false in all the fragments included (.jsp and .jspf) and not include it in the main jsp that include the rest of snippets? – Ommadawn Dec 15 '19 at 00:14
2

For links generated in a JSP with custom tags, I had to use 

<%@ page session="false" %>

in the JSP

AND

request.getSession().invalidate();

in the Struts action

Jerome Jaglale
  • 1,753
  • 17
  • 22