1

I have simple jsp-site on tomcat. To work with session I use simple jsp session object.

But I need some sessions isolation in my web directories e.q. 

mysite.com/dir1 
mysite.com/dir2

I want to use independent sessions for each dir1 and dir2

It's possible with minimal jsp-code correction and without using of virtual hosts?

triclosan
  • 11
  • 1
  • 5

2 Answers2

1

Tomcat offerts some control over the session cookie's path with the sessionCookiePath context parameter, but not enough for your needs. I beleive you can play fast and loose with both the server (servlet container) and the browser with very little code.

In short, write a servlet filter that let the request in, unchanged. When the response comes out, add your servlet path to the JSESSIONID cookie path and let the browser send a different JSESSIONID (thus using a different session) for each servlet.

Here is how it works :

  1. When a request comes in the first time, it is "naked", it does not have any cookies associated with it. It does not have a session.
  2. The server will create one and associate a JSESSIONID to it and add a cookie to let the client do its part of the tracking.
  3. The client is still waiting on its initial request at this point.
  4. In the servlet filter (or mod_rewrite) add the servlet path to the cookie's path.
  5. Send the response to the client.

With the cookie personalized for servlet /dir1, when the browser will send a request to /dir2, it will also be "naked", no cookies whatsoever. A new session will be created, the filter will add the path to it and so on...

From the server's point of view, there are two clients (with the same IP). One is always using /dir1 servlet and the other is only using /dir2 servlet. Nothing wrong with that.

Here is one filter implementation that can give a head start. You might also consider doing it in Apache with mod_headers.

ixe013
  • 928
  • 2
  • 7
  • 25
0

The question is why you want to do this.

If it's security-related you should deploy dir1 and dir2 as different servlets. Different servlets have different sessions, so your problem should be solved.

If that is not an option, and your motivation hasn't anything to do with security, you could add a map for each path to your session. You would then have to access your session objects first by obtaining the map for the path, then accessing the session object (i.e. ${session.dir1.foo}).

A third solution might be to use a filter to hide certain elements in the session for the current request by creating a HttpServletRequestWrapper which returns a special HttpSession for different requests.

Aleksander Blomskøld
  • 113
  • 6