How session works

Basic ideas

When server creates a new session, it always adds a session identifier in the form of cookie. When web browser asks for a page or makes a request, the web browser always sends cookie which are created by the web server in the request. Therefore in the server side, web server checks for that cookie and find the corresponding session that is matched to the received cookie.

The session normally short-lived so the session cookie is not saved into disk. Session also has time out. When the time is out, the session is no longer exist in the server side. You can set time out of session in configuration file in the server.

Servlet handling

You can read the RFC describing Cookies and the related headers, Set-Cookie and Cookie to understand what they are.

You can go through Chapter 7 of the Servlet Specification if you want to understand in detail how Cookies and Sessions are related.

You first need to understand that HTTP is a stateless protocol. This means that each request that a client makes has no relation to any previous or future requests. However, as users, we very much want some state when interacting with a web application. A bank application, for example, only wants you to be able to see and manage your transactions. A music streaming website might want to recommend some good beats based on what you’ve already heard.

To achieve this, the Cookie and Session concepts were introduced. Cookies are key-value pairs, but with a specific format (see the links). Sessions are server-side entities that store information (in memory or persisted) that spans multiple requests/responses between the server and the client.

The Servlet HTTP session uses a cookie with the name JSESSIONID and a value that identifies the session.

The Servlet container keeps a map (YMMV) of HttpSession objects and these identifiers. When a client first makes a request, the server creates an HttpSession object with a unique identifier and stores it in its map. It then adds a Set-Cookie header in the response. It sets the cookie’s name to JSESSIONID and its value to the identifier it just created.

This is the most basic Cookie that a server uses. You can set any number of them with any information you wish. The Servlet API makes that a little simpler for you with the HttpServletResponse#addCookie(Cookie)method but you could do it yourself with the HttpServletResponse#addHeader(String, String) method.

The client receives these cookies and can store them somewhere, typically in a text file. When sending a new request to the server, it can use that cookie in the request’s Cookie header to notify the server that it might have done a previous request.


A JSESSIONID cookie is created on the user’s computer each time a session is created with request.getSession(). Why ? Because each session created on server side has an ID. You can’t acces another user’s session, unless you don’t have the right ID. This ID is kept in JSESSIONID cookie, and allow the user to find his information. Look at this answer for more details !

When does a JSESSIONID is deleted ?

JSESSIONID doesn’t have an expiration date : it’s a session cookie. As all session cookies, it will be deleted when the broswer is closed. If you use the basic JSESSIONID mechanism, then the session will become unreachable after you close and re-open the browser, because JSESSIONID cookie is deleted.

browser handling

By default session tracking happens by cookiesWebServer sends the session id to the browser in the form of cookie. And, the browser send the cookie having session id for the subsequent requests.

How does the browser identifies which cookies to send for a link/request? It is based on the these parameters. If the request matches these paramters the browser sends that particular cookie:

  1. Domain: The domain name to which the request is made. Verify in your case if the domain name is same for two instances
  2. Path: If the path name is same. Web Server send the context root as the path , requests under same context root share cookies.
  3. Secure: Server sends if the given cookie is secure or not. Meaning, if the cookie can be sent on non-secure channel.

HERE is an example on how to get cookie.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s