How to associate a request with a HttpSession in a Java EE application, based on request payload?

Question

I have a Java EE application that receives requests over http/s. The requests do not contain any cookies or jsessionid request parameters.

In the request payload I can find a string "sessionid" that should allow me to associate that request to an HttpSession. I've managed to implement a mechanism that stores a map of sessions in memory, but that's not (easily) scalable in a cluster environment.

The standard Java EE mechanism for associating requests to HttpSessions is based on cookies or URL rewriting, which are not available for me, since I don't control the 3-rd party that sends the requests. Also, the HttpServletRequest object does not have a setSession() method.

Is there a straightforward way to associate requests to HttpSessions, without relying on a particular Java EE server or on some distributed cache?

Answer 1

A few statements:

• The 3rd party client does not conform to the HTTP spec, and that's not your problem
• If you need a custom mechanism, you should implement all of it. That is, do not rely on HttpSession - make a Map<String, Object> for each sessionId and support it yourelf
• Any other solution would require plugging your code into the container (for tomcat thay might be a Valve), but there is no standard solution.

Answer 2

I've been on that road before and it was a dead end. You really need to opt other mechanism than HttpSession It could be as simple as a unique id for each session (which should be stored in database rather than in memory) or something more sophisticated. Following links might help you

• OAuth

• HTTP basic authentication

• Google's ClientLogin (although deprecated by google, its a good architecture to study)

But yes, changing the mechanism does mean that the third-party has to conform to it.