uCosminexus Application Server, Web Container Functionality Guide
![[Contents]](FIGURE/CONTENT.GIF)
![[Glossary]](FIGURE/GLOSS.GIF)
![[Index]](FIGURE/INDEX.GIF)
![[Back]](FIGURE/FRONT.GIF)
![[Next]](FIGURE/AFTER.GIF)
2.7.4 Deleting invalid session IDs maintained by the Web client
The invalid session IDs stored by a Web client will be deleted with Application Server. As a result, the sending of invalid session ID from Web clients is controlled.
If the HTTP session is disabled or if an HTTP session containing an invalid session ID is received, the HTTP Cookie used for deleting the HTTP Cookie information showing the invalid session ID with the Web container is added to the HTTP response header. As a result, the invalid session ID is deleted.
The HTTP Cookie used for deleting the HTTP Cookie information showing the invalid session ID indicates the HTTP Cookie that fulfills all the following conditions:
- HTTP Cookie specifying the session ID and name is JSESSIONID (you can change the Cookie name if you are using Servlet 3.0 or later)
- Value is "" (null character string).
- A positive number forming the lapsed period is set for the validity period of the HTTP Cookie.
The HTTP Cookie used for deleting the HTTP Cookie information showing the invalid session ID is added to the HTTP response header in the following cases:
- HTTP session is disabled.
- A session ID that does not exist in the J2EE server is received.
The following are the description for each case:
- Precautions for using the Web server integration functionality
- If the response status code is 304 (Not Modified), the Set-Cookie header might be deleted in the Web server specifications. At this time, the HTTP Cookie used for deleting the HTTP Cookie information showing the invalid session ID is also not added, therefore, you cannot delete the invalid session IDs maintained by the Web client.
- Organization of this subsection
- (1) When the HTTP session is disabled
- (2) When a session ID that does not exist in the J2EE server is received
- (3) Notes on deleting invalid session IDs maintained by the Web client
(1) When the HTTP session is disabled
When all the following conditions are fulfilled, the HTTP Cookie used for deleting the HTTP Cookie information showing the invalid session ID is added to the HTTP response header:
- The session ID is notified by using the HTTP Cookie.
- The HTTP session is disabled before the HTTP response is committed in the Web application#1.
- The HTTP session does not exist when the HTTP response is committed#2.
- #1
- The HTTP response header is sent to the Web client when the response is committed, so the HTTP Cookie cannot be added to a response after commit. Therefore, when the HTTP session is disabled after the HTTP response is committed in the Web application, the HTTP Cookie used for deleting the HTTP Cookie information is not added. However, when the next request is received, a non-existing session ID is received, and therefore the subsection 2.7.4(2) When a session ID that does not exist in the J2EE server is received will be applicable and the HTTP Cookie information will be deleted.
- #2
- If a new HTTP session is created when the HTTP response is committed, the HTTP Cookie information of the Web client is overwritten in the HTTP Cookie specifying the new session ID, and therefore the HTTP Cookie information is not required to be deleted.
Note that when one of the following conditions are fulfilled and even if the HTTP session is disabled, the HTTP Cookie used for deleting the HTTP Cookie information showing the invalid session ID is not added:
- Request is received in the simple Web server.
- The servlet engine mode is used.
These functions are provided to maintain compatibility with previous versions.
(2) When a session ID that does not exist in the J2EE server is received
When all the following conditions are fulfilled, it is determined that an invalid session ID is received and the HTTP Cookie used for deleting the HTTP Cookie information showing the invalid session ID is added to the HTTP response header:
- The session ID is notified by using the HTTP Cookie.
- The notified session ID does not exist in the J2EE server.
- The HTTP session does not exist when the HTTP response is committed.
(3) Notes on deleting invalid session IDs maintained by the Web client
In a configuration in which requests with the same path are handled in multiple J2EE servers, disable this functionality.
If you handle requests with the same path in which the Path of the Cookie has been rewritten using reverse proxy, the HTTP session might be deleted inappropriately.
All Rights Reserved. Copyright (C) 2013, Hitachi, Ltd.