Sunday, August 12, 2012

What is JSESSIONID in J2EE Web application - JSP Servlet?

What is JSESSIONID in JSP Servlet
JSESSIONID is a cookie generated by Servlet container like Tomcat or Jetty and used for session management in J2EE web application for http protocol. Since HTTP is a stateless protocol there is no way for Web Server to relate two separate requests coming from same client and Session management is the process to track user session using different session management techniques like Cookies and URL Rewriting. If Web server is using cookie for session management it creates and sends JSESSIONID cookie to the client and than client sends it back to server in subsequent http requests. JSESSIONID and session management is a not only a popular Servlet interview question but also appear in various JSP interviews. Along with What is JSESSIONID interviewer are also interested in when and how JSESSIONID is created in Servlet and JSP which we will see in next section.

When JSESSIONID created in Web application?
What is JSESSIONID in JSP Servlet HTML web application
In Java J2EE application container is responsible for Session management and by default uses Cookie. When a user first time access your web application, session is created based upon whether its accessing HTML, JSP or Servlet. if user request is served by Servlet than session is created by calling request.getSession(true) method. it accepts a boolean parameter which instruct to create session if its not already existed. if you call request.getSession(false) then it will either return null if no session is associated with this user or return the associated HttpSession object. If HttpRequest is for JSP page than Container automatically creates a new Session with JSESSIONID if this feature is not disabled explicitly by using page directive %@ page session="false" %>. Once Session is created Container sends JSESSIONID cookie into response to the client. In case of HTML access, no user session is created. If  client has disabled cookie than Container uses URL rewriting for managing session on which jsessionid is appended into URL as shown below:


When HTTP session is invalidated(), mostly when user logged off, old JSESSIONID destroyed and a new JSESSIONID is created when user further login.

How to monitor HTTP request to check JSESSIONID

You can check value of JSESSIONID coming in as cookie by monitoring HTTP request. If you are running Tomcat Server in NetBeans IDE in your development environment than you can use HTTP Server Monitor to check http requests. You just need to enable it while starting Tomcat Server form Netbeans. After than with each request you can see all details like request headers, session, cookies etc in HTTP Server monitor screen. If you look on JSESSIONID cookie it will look like:

cookie  JSESSIONID=1A530637289A03B07199A44E8D531427

You can also enable http request and response in Client side by using tools like ethereal or Wireshark. This tool can monitor all http traffic from and to your machine and by looking on request data you can see JSESSIONID cookie and its value.

That's all on What is JSESSIONID and How JSESSIONID is created inside J2EE application. We have seen that both Servlet and JSP can be responsible for Session creation but its done by Container. you can retrieve value of SessionID which is represented by JSESSIONID cookie when you call request.getSession(). Session management in web applications are complex topic especially when it comes to clustering and distributed session. On the other hand JSESSIONID is one of those basics which as J2EE web application developer you should be aware of.

Other JSP and Servlet tutorial from Javarevisited Blog


Anonymous said...

I hardly need someone able to decode a JSessionID to get the 'timeTag' in it (date of connection)
contact in France
urgent and important

Anonymous said...

its good to understand

Anonymous said...

Nice explanation :-)

Anonymous said...


Post a Comment