Enterprise Client Community

Hi Björn,

do servlets run in a different session than the CaptainCasa application?
If not, how can I get the common session id?

I want to to check if a file download servlet is running in the same session than the caller before file download is allowed.
I used the session id in our Casabac application to do that, but here I get two different session ids.
This is how I determine the session ids:

CaptainCasa:
HttpSessionAccess.getCurrentHttpSession(FacesContext.getCurrentInstance()).getId()

Servlet:
HttpServletRequest req;
req.getSession().getId();

Frauke

Hi,

the answer is quite tricky:

when running in browser (applet or webstart) then the sessionid is automatically added - the servlet will be called in the same http session (jssessionid).

When running in stand alone environment there is no automatic appending of the right sessionid. If you need to force the session id to be the same as the applciation around then append
";jsessionid=" + sessionId to your URL.

Björn

Hi Björn,

I tried it, but it does not work. The session id from the HttpServletRequest is still different.

Just to be sure I got you right:
I append the session id to the URL and then the servlet's HttpServletRequest will receive the session id from this?

Additionally this throws up a problem I had before:
if I append the session id to the URL, the file name (of the download servlet) will not be extracted correctly (see post "File download with servlet").

Frauke

...yes, appending the sessionid in the way described will select the correct session on server side... I am not 1000% expert on this, but it works exactly this way in a little example that I use...

Example URL, embedded in form:
<form id="_id0" method="post" action="/demos/faces/workplace/workplace.jsp;jsessionid=F054133D15BE3375C3B5183B9FB0324B" enctype="application/x-www-form-urlencoded">

Please check the client log: switch the log level to "all", (start parameter: loglevel=ALL) and compare the session ids that are sent from the normal processing with the one that you send.

Björn

PS: yes, the file download currently would take over this ";jsessionid=...". This something we can fix.

Hi Björn,

I checked the client log as you said and the session IDs are the same.
But still the Servlet gets an other one.

Is the call
HttpServletRequest req;
req.getSession().getId();

in the servlet correct? Or does it provide som other ID?

Frauke

...yes the call is correct.

I am "at the end of my Latin" currently... (English for runaways)

I think the most important issue is, that it is working in a webstart/applet environment, so it would be good to make sure that this scenario is working...

Björn

Well ok,....

as a kind of security check we only allow file download if the servlet and the application are running within the same session.

The only chance I see in the moment is to switch off this check.....
but that also affects our casabac application.

... but sure works for all cases.
Maybe you will have some enlightments later?

Frauke