Disabling Cookies stops Session as well?

Question

I have been building a Web Application, So far I have implemented Login & Registration. User can register and then can login within the web application. Everything is working fine. What I am doing is When user clicks on Login button, a servlet is being invoked where I'm checking if the credentials are correct, If validated then Saving isLoggedIn in HttpSession and redirecting it to Home Page.

LoginServlet.java

protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException{
    boolean isValidated = false;
    ... // Service Layer is invoked here and checks for user validation

    // Assume isValidated to be true
    if(isValidated){
        HttpSession session = request.getSession();
        session.setAttribute("isLoggedIn", Boolean.valueOf(true));
        ...
        // redirected to /home
    }else{
        // redirected to /login?invalid
    }
}

HomeController.java

protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException{

    HttpSession session = request.getSession();
    Boolean isLoggedIn = (Boolean) session.getAttribute("isLoggedIn");
    if(isLoggedIn != null && isLoggedIn){
        ...
        // Service Layer is invoked to fetch `Home Page Data`
    }else{
        // redirected to /login?expired
    }
}

All of a sudden I have encountered a strange problem, If i disable cookies for localhost using FireBug I am not able to login anymore. No matter if I enter correct username or password each time I am being redirected to /login?expired.

I don't get it, Cookies are ment to be stored at client side and Session are stored at Server side, then Why session attribute can not be set if Cookies are disabled.

I have tried disabling Cookies for already built Web Application in Spring-MVC which is in production and having same issue there as well.

Answer 1

When cookies are enabled, the session is stored in a cookie under the name JSESSIONID.

If cookies are disabled, the container should rewrite the session id as a GET parameter (i.e. &JSESSIONID=1223456fds at the end of all URLs).

If the URL rewriting isn't on by default, see your container's documentation on how to enable it.

You might want to consider modern frameworks (for example Spring MVC with Thymeleaf) which will automate this for you. Otherwise you need to make sure you're rewriting URLs with response.encodeURL() as Ouney directs in his answer.

Answer 2

When we manage the session using the HttpSession mechanism that time a jsessionid save in the browser's cookies. So when you delete a cookies from the browser or disable cookies that time that jsessionid information is not sent to the server and that time server treat this request from a new session.

Answer 3

with every request and response session id stored on client side as a Cookie is checked by server, if it is present the server update the information and if not a new session is created. so when you disable cookie in you browser, with every request a new session is created as cookie is disabled.

for further information you can refer this link. click here

Answer 4

A session is to maintain a stateful conversation between server and client. By default Http is a stateless protocol. So, to make it a stateful conversation we need to store some values on browser side (cookies) which are sent by the browser to the server with the request. Without cookies every request is a new request and it becomes a stateless conversation. That is the reason people use add session information in url's (jsessionId) when cookies are disabled. To use URL rewriting use response.encodeURL() on your URLs.