request.getSession() always returning new session id inspite of using URL rewriting

Question

I am using Firefox browser where I have disabled cookies. Now, for the first hit when session id is generated, i can see a new session id appended to the URL - 38E838B8D401E9E03DF93D5DFC10260C. But in the next request, again a new id is generated - A1C93B0A9B28E4BDCD9D5B0DA3793D15 thereby making a completely new session again. I am using URL rewriting with encodeRedirectURL(). Here's my code:

Servlet Code:
HttpSession session = req.getSession();
if(session.isNew()){//this is always returning new
   System.out.println("New Session created");
}
String contextPath = req.getContextPath();
resp.sendRedirect(resp.encodeRedirectURL(contextPath+"/chapter6/Authenticated2.jsp"));

On Authenticated2.jsp I can see the jsession id appended to the URL. But in the subsequent request on hit of submit button made from this jsp, when flow comes to the Servlet code, it generates a new session id. Should URL rewriting be done somewhat differently then?

Suggestions?

Answer 1

Make sure the session ID gets included in every URL. If there is a URL in your JSP that is missing the session ID, the session ID will not be reported back to the servlet and the servlet will generate a new one. The session can only be identified and maintained for as long as the session ID is included.

In a servlet always use these two methods to add the session ID: HttpServletResponse#encodeURL HttpServletResponse#encodeRedirectURL.

In a JSP you can use something like the <c:url> tag. Or, you can manually get the session ID and append ;jsessionid=xxx at the end of the URL, before the query string.