SRV.7.1 Session Tracking Mechanisms

SRV.7.1.1 URL Rewriting

URL rewriting is the lowest common denominator of session tracking. In cases where a client will not accept a cookie, URL rewriting may be used by the server to establish session tracking. URL rewriting involves adding data to the URL path that can be interpreted by the container on the next request to associate the request with a session.

The session id must be encoded as a path parameter in the resulting URL string. The name of the parameter must be jsessionid . Here is an example of a URL containing encoded path information:

 http://www.myserver.com/catalog/index.html;jsessionid=1234 

SRV.7.1.2 Cookies

Session tracking through HTTP cookies is the most used session tracking mechanism and is required to be supported by all servlet containers. The container sends a cookie to the client. The client will then return the cookie on each subsequent request to the server unambiguously associating the request with a session. The name of the session tracking cookie must be JSESSIONID .

SRV.7.1.3 SSL Sessions

Secure sockets layer, the encryption technology which is used in the HTTPS protocol, has a mechanism built into it allowing multiple requests from a client to be unambiguously identified as being part of an accepted session. A servlet container can easily use this data to serve as the mechanism for defining a session.