Preparing for Java and Spring Boot Interview?

Join my Newsletter, its FREE

Tuesday, July 27, 2021

What is JSESSIONID in Java Web application - JSP Servlet? Example

What is JSESSIONID in JSP-Servlet
JSESSIONID is a cookie generated by Servlet containers like Tomcat or Jetty and used for session management in the J2EE web application for HTTP protocol. Since HTTP is a stateless protocol there is no way for Web Server to relate two separate requests coming from the same client and Session management is the process to track user sessions using different session management techniques like Cookies and URL Rewriting. If a Web server is using a cookie for session management it creates and sends JSESSIONID cookie to the client and then the client sends it back to the server in subsequent HTTP requests.

JSESSIONID and session management is not only a popular Servlet interview question but also appears in various JSP interviewsAlong with What is JSESSIONID interviewer is also interested in when and how JSESSIONID is created in Servlet and JSP which we will see in next section.

When is JSESSIONID created in the Web application?

In Java J2EE application container is responsible for Session management and by default uses Cookie. When a user first time access your web application, session is created based on whether its accessing HTML, JSP or Servlet. if user request is served by Servlet than session is created by calling request.getSession(true) method. it accepts a boolean parameter which instruct to create session if its not already existed. 

If you call request.getSession(false) then it will either return null if no session is associated with this user or return the associated HttpSession object. If HttpRequest is for JSP page than Container automatically creates a new Session with JSESSIONID if this feature is not disabled explicitly by using page directive %@ page session="false" %>. 

Once Session is created Container sends JSESSIONID cookie into response to the client. In case of HTML access, no user session is created. If  client has disabled cookie than Container uses URL rewriting for managing session on which jsessionid is appended into URL as shown below:


When the HTTP session is invalidated(), mostly when the user logged off, old JSESSIONID is destroyed and a new JSESSIONID is created when the user further login.

How to monitor HTTP requests to check JSESSIONID

You can check the value of JSESSIONID coming in as a cookie by monitoring HTTP requests. If you are running Tomcat Server in NetBeans IDE in your development environment then you can use HTTP Server Monitor to check HTTP requests. You just need to enable it while starting Tomcat Server from Netbeans.

After then with each request, you can see all details of request headers, session, cookies, etc in the HTTP Server monitor screen. If you look on JSESSIONID cookie it will look like this:

cookie  JSESSIONID=1A530637289A03B07199A44E8D531427

What is JSESSIONID in JSP Servlet HTML web application
You can also enable HTTP requests and responses in Client-side by using tools like ethereal or Wireshark. This tool can monitor all HTTP traffic from and to your machine and by looking at request data you can see the JSESSIONID cookie and its value.

That's all on What is JSESSIONID and How JSESSIONID is created inside the J2EE application. We have seen that both Servlet and JSP can be responsible for Session creation but its done by Container. you can retrieve the value of SessionID which is represented by the JSESSIONID cookie when you call request.getSession(). 

Session management in web applications is a complex topic especially when it comes to clustering and distributed session. On the other hand, JSESSIONID is one of those basics which as a J2EE web application developer you should be aware of.

Other JSP and Servlet tutorials from Javarevisited Blog


Anonymous said...

I hardly need someone able to decode a JSessionID to get the 'timeTag' in it (date of connection)
contact in France
urgent and important

Delli said...

How this is handled in cluster mode say if a session is associated with one node and that node is failed then it redirect to other same session is forwarded or

javin paul said...

@Delli, Sessions are usually replicated across the cluster it means same session is available to every node.

javin paul said...

This is another reason why Session is Serializable and you should not put anything on HttpSession which is not serializable.

Anonymous said...

Thanks you for your article :)

Unknown said...

Your article continually have a lot of really up to date info. Thank you so much. Such good explanation in a minimized understandable form.

Post a Comment