You can do sessions even if the client doesn’t accept cookies, but you have to do a little more work...

image with no caption

We don’t agree that anybody with half a brain disables cookies. In fact, most browsers do have cookies enabled, and everything’s wonderful. But there’s no guarantee.

If your app depends on sessions, you need a different way for the client and Container to exchange session ID info. Lucky for you, the Container can handle a cookie-refusing client, but it takes a little more effort from you.

If you use the session code on the previous pages—calling getSession() on the request—the Container tries to use cookies. If cookies aren’t enabled, it means the client will never join the session. In other words, the session’s isNew() method will always return true.

Note

A client with cookies disabled will ignore “Set-Cookie” response headers

If a client doesn’t accept cookies, you won’t get an exception. No bells and sirens going off to tell you that your attempt to have a session with this client went wrong. No, it just means the client ignores your attempt to set a cookie with the session ID. In your code, if you do NOT use URL rewriting, it means that getSession() will always return a NEW session (i.e. one that always returns “true” when you call isNew() on it). The client simply never sends back a request that has a session ID cookie header.

URL rewriting: something to fall back on

If the client ...

Get Head First Servlets and JSP, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.