I tried:
<c:url value="/web/pclub/userprofile" var="test">
<c:param name="userid" value="${user.id}"/>
</c:url>
${test}
But when I check the page with cookies disabled then the jsessionid is not appended.
Does anyone know why this happens?
The jsessionid is only appended when the cookies are disabled and when a session has been created on the server side (and thus the server side needs to notify the client about this somehow, for which a cookie would is the default approach). If no session has been created, then there's no point of appending the jsessionid.
Try adding the following line to top of your JSP, at least before the <c:url> line is called. It not only prints/debugs the session ID for you, but it also implicitly creates the session if not done yet.
${pageContext.session.id}
Do this for testing purposes only. If it works, then the cause of your problem is that there was just no means of a session. Just keep it as is. There's no need to unnecessarily create the session. For the case whenever there's as session and the browser doesn't support cookies, the c:url will work fine.
By the way, to verify if the cookies are indeed disabled, track the request headers by Firebug. If there's no Cookie header in the request even though the server has set a Set-Cookie header in the response, then it means that the cookies are indeed disabled in the client side.
I think BalusC is right, however to force creating a session on the server, you can add a directive page on the top of your JSP, like this:
<%# page session="true" %>
Related
In my servlet (after login) I set the session timeout interval as 30 seconds and also note the sessionID as say X
session.setMaxInactiveInterval(30);
The servlet then forwards to a JSP page (intermediate1) which has a link to the second intermediate page (intermediate2). I don't do anything on the page for around 30 seconds (timeout interval) and then forward to the second jsp page (intermediate 2). Here I print the sessionID and it is NOT X. It is another value. How did this happen? Does the container automatically assign a session object to a JSP page if no session already exists? Kindly help.
JSP spec (for JSP 2.1/JEE6 it is found in chapter "JSP.1.10.1 The page Directive") describes that the session implicit object is on by default, so that every call to a JSP will participate in an existing session/create a new session if needed. It can be turned off as:
<%# page session="false" %>
Because of jsp implicit-object, then see one of them is 'session'.
So, jsp's implicate object always be there.
In your case, already current session object went off, but jsp api make it newly available.
Here is an interesting link I found on the web that answers my own question. FYI.
http://www.xyzws.com/jspfaq/can-i-prevent-the-creation-of-a-session-in-a-jsp-page/20
Here's my environment. Windows 7, Tomcat 8.x and Java 7.x
I'm writing an application, that has an entry point in the servlet, as opposed to a JSP. In this servlet I create a session, assign a variable to it, and then redirect the user to a JSP page. Here's the JAVA code:
HttpSession session = request.getSession();
logger.debug("Session Id: "+session.getId()+
"New Session? "+session.isNew()+
"Created: "+new java.util.Date(session.getCreationTime()));
session.setAttribute("implementation", sImplementation);
session.setAttribute("RequestId", sRequestId);
response.reset();
response.sendRedirect(request.getContextPath()+"/jsp/ProductSelection.jsp");
In the JSP page that I just redirected to I try to retrieve the session attribute that I just set in the Servlet and the value comes back as null, but only the first time that I use the JSP page. If I call it again by resubmitting the URL in the browser then everything works. :O :( Here's the relevant JSP code, the value of sImplementation is null the first time this JSP is hit.
<% System.out.println("Session Id: "+session.getId()+
"New Session? "+session.isNew()+
"Created: "+new java.util.Date(session.getCreationTime()));
String sImplementation = (String)session.getAttribute("implementation"); %>
Also if I make an entry point into my system to be a JSP page that does nothing but redirect the user to the Servlet everything works as expected. So the session created in the servlet is not valid until. Only when a JSP page is hit. :(
Lastly I tried using dispatcher.forward instead of response.sendRedirect and the session variable is there, however, the bootstrap framework that I'm using to render my pages do not render properly at all. :( I tried this in both Internet Exploder 11.x and Chromium 33.x
So my question is whether the behavior that I'm seeing is normal and expected or if there's something wrong here and there's a solution out there somewhere? :)
Thanks to all in advance, and let me know if anything is unclear or needs more code.
If im not wrong (I might), you should redirect to your jsp using
request.getRequestDispatcher("ProductSelection.jsp").forward(request, response);
This way it will be the same request and you will be able to get your session. By the way if you are creating sessions on your own you should disable the default session made by all jsp's
<%# page session=“false”%>
Make me know if it worked. :·)
I have an jsp/servlet webapp on tompcat and i need something like a crash report each time an unexpected error accords
I have an error page defined and added with errorpage directive
<%#page errorPage="./erropage.jsp" %>
to my edit.jsp file(just an example).
The request to edit.jsp is made with post request (actually is an ajax request but this is not so important).
I need a solution to read original parameters (sent to edit.jsp page) from errorpage in order to buid a crash report.
request.getAttribute("javax.servlet.error.request_uri")
Doed not help me since this will include the actual url (get parameters).
Also, to build up a string from requested parameters in edit.jsp and set that string to session is not an option since there are to many files in witch i need to implement this.
Actually it seams like
request.getParamter()
in errorpage.jsp give the parameter from edit.jsp request!
I have a similar issue with cookies and I post a question about it.
Now, I believe ( I have some checks to do) that the error mechanism is using REDIRECT scheme (not FORWARD) so a new request object is created.. You can verify this assumption
I want to forward from one page to another but with the same I want url to be changed. Suppose user is here http://mywebsite/register and when he completes his registration process then I want this in his address bar http://mywebsite/home
Is it possible without using sendRedirect , I mean by the way server side forwarding only? or any other way around to this problem?
You could just let the HTML form submit to that URL directly.
<form action="http://mywebsite/home">
But this makes no sense. You'll also run into problems when redisplaying the same form with validation messages in case of validation failure. You'd need to redirect back to the original page if you intend to keep the original URL and you'd need to fiddle with storing messages in the session scope instead of the request scope because a redirect basically creates a brand new request. You'll without a redirect also run in "double submit" problem whenever the enduser presses F5 after submitting the form.
Just let the servlet redirect the successful POST request to the desired URL. That's the canonical approach. Even more, this is a recommend "design pattern": the POST-Redirect-GET pattern.
AFAIK there's no way around a redirect since the browser has to update the url at some point. And if you'd update the url after the forwarded to page has been loaded it would issue a refresh and the page would be loaded again (which might result in an endless loop).
Why don't you want to use a redirect in that case?
I'm trying to figure out how cookies can be used to prevent a hacker from typing in a URL to an internal part of a java web application that shouldn't be accessible unless the user is logged in.
For example, I'd like to prevent a hacker from typing in http://domain.com/myapp/listtable.jsp and be able to view the table without logging in.
I have a servlet which stores a list of all cookies it has handed out to clients. I'm struggling to understand what the JSP/JSTL code would look like to examine the cookies in the request and compare it to what the server has stored.
Something like:
<c:forEach items="${cookie}" var="currentCookie">
<!-- Compare each incoming cookie with the cookies kept in the servlet,
if there's not a match then redirect to the login page. Otherwise,
show the contents of the page below -->
</c:forEach>
<html>
--- main page HTML here
Can anyone give me some advice on how to do this?
This should be the Job of Filter not of view
Configure a Filter to check for your protected resources
Check if user's session has some value that logically makes him logged in.
if not redirect user to login view
See Also
universal-login-authorization-in-jsp
why-business-logic-should-be-moved-out-of-jsp
I would personally add my JSP or any presentation content (that you deem protected) under the WEB-INF folder and map it accordingly to your controller. That way, the servlet container will hide it from external viewing.
Even it's not the correct way to do it... in fact you can do something like that.
Try this:
<c:forEach items="${cookie}" var="currentCookie">
<!-- Compare each incoming cookie with the cookies kept in the servlet,
if there's not a match then redirect to the login page. Otherwise,
show the contents of the page below -->
${currentCookie.value.name} - ${currentCookie.value.value}<br/>
<c:if test="${currentCookie.value.name=='JSESSIONID'}">
Your Session is ${currentCookie.value.value}
</c:if>
</c:forEach>