I am sending a $.getJSON
(HTTP GET) request twice (with different data), one after another (lets say we have request1 and request2). I can see in the developer tools from FF and Chrome that I have the same cookie:JSESSIONID=FD0D502635EEB67E3D36203E26CBB59A
header field.
On the server side I try to get the session:
HttpSession session = request.getSession();
boolean isSessionNew = session.isNew();
String sessionId = session.getId();
String cookieFromRequestHeader = request.getHeader("cookie");
If I print these variables for both requests I get,
request1:
isSessionNew:true
cookieFromRequestHeader:JSESSIONID=FD0D502635EEB67E3D36203E26CBB59A
session.getId():9212B14094AB92D0F7F10EE21F593E52
request2:
isSessionNew:true
cookieFromRequestHeader:JSESSIONID=FD0D502635EEB67E3D36203E26CBB59A
session.getId(): E8734E413FA3D3FEBD4E38A7BF27BA58
As you can see, the server clearly created a new session for request2 on a request.getSession()
. But why does it do this? It should theoretically be synchronized and give you the same session that the first request (that reached this code first) created. Now, to be sure that the session creation is synchronized I did the following:
@Autowired
private ServletContext servletContext;
...
synchronized (servletContext) {
HttpSession session = request.getSession();
boolean isSessionNew = session.isNew();
String sessionId = session.getId();
String cookieFromRequestHeader = request.getHeader("cookie");
}
and I got the same results.
If I send the same requests later again (lets say request1' and request2') I get,
request1':
isSessionNew:false
cookieFromRequestHeader:JSESSIONID=E8734E413FA3D3FEBD4E38A7BF27BA58 session.getId():E8734E413FA3D3FEBD4E38A7BF27BA58
request2':
isSessionNew:false
cookieFromRequestHeader:JSESSIONID=E8734E413FA3D3FEBD4E38A7BF27BA58
session.getId():E8734E413FA3D3FEBD4E38A7BF27BA58
If you see closely now, the session id is the same (in request1' and request2') and is the last one created from the request2. Is there a way of me getting the same session from multiple subsequent requests that come to the server in very short time frames?
I am not using any special features - I am using Spring's out of the box session strategy. Also, it looks like the cookie JSESSIONID from the frist 2 requests (request1 and request2) come from the first time I visit the page (lets say there was a request0 sent to the server when it created this JSESSIONID). But it also looks like unless you explicitly call request.getSession(), the backend/server will always create a new JSESSIONID for every response and send it back to the client. So when a new request is sent from the client after a response comes, its going to have a new JSESSIONID. It looks like Spring out of the box session handling is not working appropriately.
Kind Regards,
despot
ADDITIONAL RESEARCH:
I wanted to see if I can register the session creation with a HttpSessionListner. This way I can see when the session with id FD0D502635EEB67E3D36203E26CBB59A (the cookie that is being sent in request1 and request2) is created. And also, weather using the listener (the SessionProcessor) I can store the sessions in a map by id and later on retrieve them by the id from the cookie (so I don't need to create another session).
So here is the code:
public interface ISessionProcessor extends ISessionRetriever, ISessionPopulator {
}
public interface ISessionRetriever {
HttpSession getSession(String sessionId);
}
public interface ISessionPopulator {
HttpSession setSession(String sessionId, HttpSession session);
}
The reason for separating these was because I only wanted to allow the listener to add sessions to the map, and the controllers only to be able to create a session through request.getSession() - so the listner's sessionCreated method was invoked always (as you'll see below).
public class SessionProcessor implements ISessionProcessor {
private Map<String, HttpSession> sessions = new HashMap<String, HttpSession>();
@Override
public HttpSession getSession(String sessionId) {
return sessions.get(sessionId);
}
@Override
public HttpSession setSession(String sessionId, HttpSession session) {
return sessions.put(sessionId, session);
}
}
public class SessionRetrieverHttpSessionListener implements HttpSessionListener {
private static final Logger LOGGER = LoggerFactory.getLogger(SessionRetrieverHttpSessionListener.class);
@Autowired
private ISessionPopulator sessionPopulator;
@Override
public void sessionCreated(HttpSessionEvent se) {
HttpSession session = se.getSession();
LOGGER.debug("Session with id {} created. MaxInactiveInterval: {} session:{}", new Object[]{session.getId(), session.getMaxInactiveInterval(), session});
sessionPopulator.setSession(session.getId(), session);
}
@Override
public void sessionDestroyed(HttpSessionEvent se) {
HttpSession session = se.getSession();
// session has been invalidated and all session data (except Id) is no longer available
LOGGER.debug("Session with id {} destroyed. MaxInactiveInterval: {}, LastAccessedTime: {}, session:{}",
new Object[]{session.getId(), session.getMaxInactiveInterval(), session.getLastAccessedTime(), session});
}
}
in web.xml: org.springframework.web.context.ContextLoaderListener
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/my-servlet-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<listener>
<listener-class>mypackage.listener.SessionRetrieverHttpSessionListener</listener-class>
</listener>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
in my-servlet-context.xml:
<bean class="mypackage.listener.SessionProcessor"/>
<bean class="mypackage.SomeController"/>
in my controller:
synchronized (servletContext) {
String cookieFromRequestHeader = request.getHeader("cookie");
LOG.debug("cookieFromRequestHeader:{}", new Object[] {cookieFromRequestHeader});
String jsessionIdFromCookieFromRequestHeader = cookieFromRequestHeader.substring(cookieFromRequestHeader.indexOf("=") + 1);
LOG.debug("jsessionIdFromCookieFromRequestHeader:{}", new Object[] {jsessionIdFromCookieFromRequestHeader});
session = sessionRetriever.getSession(jsessionIdFromCookieFromRequestHeader);
LOG.debug("session:{}", new Object[] {session});
if (session == null) {
LOG.debug("request.isRequestedSessionIdFromCookie():{}, request.isRequestedSessionIdFromURL():{}, WebUtils.getSessionId(request):{}.", new Object[] {request.isRequestedSessionIdFromCookie(), request.isRequestedSessionIdFromURL(), WebUtils.getSessionId(request)});
session = request.getSession();
boolean isSessionNew = session.isNew();
LOG.debug("Is session new? - {}. The session should not be new after the first fingerprint part is received - check if this occured in the logs - if that happend than there is an error!", isSessionNew);
LOG.debug("request.isRequestedSessionIdFromCookie():{}, request.isRequestedSessionIdFromURL():{}, WebUtils.getSessionId(request):{}.", new Object[] {request.isRequestedSessionIdFromCookie(), request.isRequestedSessionIdFromURL(), WebUtils.getSessionId(request)});
//read https://stackoverflow.com/a/2066883 and think about using ServletContextAware also.
LOG.debug("cookieFromRequestHeader:{} session.getId(): {}", new Object[]{cookieFromRequestHeader, session.getId()});
}
}
This gave me the same results. It appeared that the session creation by means other than request.getSession (when spring itself out of box created the session), was either not registered by the listener or the cookie/jsessionID came from somewhere else. Look the answer for more.
Other sources that helped me go through the HttpSession issues:
servlet context injection in controller
overview of concurrency when you have to work with HttpSession
using HttpSession object to do synchronization (avoid this)
the "best" way to do synchronization when working with HttpSession
some spring reference stuff:
session management
session management in security
discussions on how to get session when you have a sessionId (what I did above):
coderanch discussion
stackoverflow
the post that helped me finalize my listener autowiring
it looks like the cookie JSESSIONID from the frist 2 requests (request1 and request2) come from the first time I visit the page (lets say there was a request0 sent to the server when it created this JSESSIONID).
This was not true. I have 2 applications deployed under the same domain on the same server. So when I was calling http://mydomain.com/app1/initpage the server created a session for app1 with id FD0D502635EEB67E3D36203E26CBB59A and sent this JSESSIONID in a cookie to the client. The client saved the cookie under the mydomain.com and the second time when I executed http://mydomain.com/app2/executeService, the client browser sent the JSESSIONID from the cookie in the request header. I received it on the server but this was not a session in the other app2.
This explains the fact that when I send the other two requests (request1' and request2') they have a sessionID created on the appropriate application.
Have a look more here:
Deploying multiple web apps in same server
Under what conditions is a JSESSIONID created?
As for the concrete answer to my question, it appears that you need to make the 1st request synchronized so you are always sure that you have the same session id in the following requests. The following requests after the 1st one, can be asynchronous though.