JSP/Java: Cookieless Sessions

"michela rossi" <mi*************@hotmail.com> wrote in message
news:1e**************************@posting.google.c om...

Hi,
Wonder if someone can help.

We have a client for whom we have to build a website that cannot use
cookies. The server technology will be Unix, JSP/Java, Apache-Tomcat.
Will be using J2SE, no J2EE at all.

So, we'd like to be able to maintain session-like-information e.g.
contents of shopping basket etc, but we absolutely cannot use cookies.

Anyone know of any articles/URL's of how to deal with this?
URL-encoding might be fine, depends upon the length of the browser
string; other options can be considered, but just no cookies.

So, sample code/URL's/articles would be most welcome if at all
possible.
Thanks,
Michela.

I was just reading a book on Java Servelets and they talk about this.
You can put the stuff in a database, or in a file, or use some
server methods to store state in the server (not too sure about
this last part).

"michela rossi" <mi*************@hotmail.com> wrote in message
news:1e**************************@posting.google.c om...

Hi,
Wonder if someone can help.

We have a client for whom we have to build a website that cannot use
cookies. The server technology will be Unix, JSP/Java, Apache-Tomcat.
Will be using J2SE, no J2EE at all.

So, we'd like to be able to maintain session-like-information e.g.
contents of shopping basket etc, but we absolutely cannot use cookies.

Anyone know of any articles/URL's of how to deal with this?
URL-encoding might be fine, depends upon the length of the browser
string; other options can be considered, but just no cookies.

So, sample code/URL's/articles would be most welcome if at all
possible.
Thanks,
Michela.

Hi Michela,

There are really only two options available without using cookies: URL
rewriting and parameter passing.

URL rewriting is probably the best option as it won't require much
additional coding since you can use the inbuilt HttpSession to keep track of
data. I assume you know about the Session Tracking API, but if you don't
there are plenty of tutorials available (do a Google search). Or I can
provide some example code.

The problem with URL rewriting is that _every_ URL needs to be encoded in
order to keep the session state. If you have just one URL in the sequence
that hasn't been rewritten, you'll lose the session.

I don't know what you're using at the presentation layer, but if you're
using JSP with the JSTL tag library, this is relatively simple. You just
have to use the <c:url> tag on all links
e.g. <a href="<c:url value="/somePage.jsp"/>">Link</a>

If you're using just servlets/plain jsp you must use the
response.encodeURL() method
e.g. out.print("<a href=\"");
out.print(response.encodeURL("/somePage.jsp"));
out.print("\">Link</a>");

or

<a href="<%= response.encodeURL("/somePage.jsp");%>">Link</a> for
jsp

You also need to encode any URLs used in a redirect:
response.sendRedirect(response.encodeRedirectURL(" http://host/somePage.jsp")
);

For all of the above, the URLs will only be rewritten if cookies are not
available. I assume the requirement that the site cannot use cookies is
because the browser/device doesn't support cookies. If however it is a
strict rule that you cannot _ever_ use cookies even if the browser supports
them, I'm afraid the above won't help. I don't think it's possible to
enforce URL rewriting if cookies are supported and enabled on the browser.

As for URL length, a string of this length will be appended to the links:
jsessionid=5fc50201479a6bffffffff918ed47335519ac:V HwY

Let us know if none of this is an option, or if it doesn't make sense.

HTH