Losing session

From Resin 3.0

Jump to: navigation, search


URL rewriting

If you forget to rewrite a URL, a user who requires rewriting will lose their session as soon as they follow that URL.

Resin establishes an association between a session and a user's browser by establishing a unique id that is returned back with each new request. This is accomplished in one of two ways: using cookies or URL rewriting.

Resin first attempts to track the session of a user by sending the user's browser a cookie containing the unique session id.

Sometimes Resin cannot establish a cookie, either because the user has disabled cookies in their browser or because the browser does not support them (as is the case with some HDML and WML browsers). If the cookie cannot be established then something called URL rewriting is used.

In this case, Resin rewrites every URL that it submits to the user so that it contains a parameter named _jsessionid. Then for each incoming request the first thing it does is look for this parameter, and if it is available it knows a session has been established and it removes the parameter and uses it to find the users session object.

Rewriting requires the cooperation of the developer. The developer must encode every URL reference so that Resin has an opportunity to put in the _jsessionid parameter.

<%@ taglib prefix='c' uri='http://java.sun.com/jstl/core' %>

Time to go <a href="<c:url value='home.jsp'/>">Home</a>!
String homeUrl = response.encodeURL("home.jsp");

<%-- the presentation --%>

Time to go <a href="<%= homeUrl %>">Home</a>!

Resin configuration for sessions

Another possiblity is that the session-max setting is too low, and you are getting more users establishing sessions than you have configured Resin for.

Yet another possibility is that the session is timing out, you can use the session-timeout directive to configure this.

<web-app id='/'>

Application reloading

Whenever a java source file, web.xml, or resin.conf changes then Resin will restart the application. If this happens, your current sessions will be lost unless you have configured a persistent session store.

Browser cookie limitations

Some users have reported that if their applciation uses a lot of cookies, the browser will start to discard older cookies to make room for the new. This may result in the browser discarding the cookie that Resin is using to keep track of the session.

If your application uses a lot of cookies, you may need to configure Resin to always use URL rewritting by setting enable-cookies to false.

<web-app id='/'>

Problems with cookie domains

You may also lose your sessions if your cookie domains are incompatible. For example, if you have one server that uses cookie domain "hogwarts.com" and another that uses "qa.hogwarts.com", the cookie in the browser for "hogwarts.com" will interfere with sessions on "qa.hogwarts.com". The solution is to change the cookie domain "hogwarts.com" to "www.hogwarts.com".

You set the cookie domain in session-config.

(Thanks Laura for providing this)

Conflicting cookie names

If you are using Resin and another application server (such as Tomcat), you may encounter a conflict because both of them are using the same cookie name (usually JSESSIONID) for the session tracking cookie.

Resin provides session-cookie to let you change the name of the cookie that Resin uses.


Personal tools