What is JSESSIONID in J2EE Web application - JSP Servlet?

What is JSESSIONID in JSP-Servlet
JSESSIONID is a cookie generated by Servlet containers like Tomcat or Jetty and used for session management in J2EE web application for HTTP protocol. Since HTTP is a stateless protocol there is no way for Web Server to relate two separate requests coming from the same client and Session management is the process to track user session using different session management techniques like Cookies and URL Rewriting. If a Web server is using a cookie for session management it creates and sends JSESSIONID cookie to the client and then the client sends it back to the server in subsequent HTTP requests. JSESSIONID and session management is a not only a popular Servlet interview question but also appear in various JSP interviews. Along with What is JSESSIONID interviewer are also interested in when and how JSESSIONID is created in Servlet and JSP which we will see in next section.

When JSESSIONID created in the Web application?
In Java J2EE application container is responsible for Session management and by default uses Cookie. When a user first time access your web application, session is created based on whether its accessing HTML, JSP or Servlet. if user request is served by Servlet than session is created by calling request.getSession(true) method. it accepts a boolean parameter which instruct to create session if its not already existed. 

If you call request.getSession(false) then it will either return null if no session is associated with this user or return the associated HttpSession object. If HttpRequest is for JSP page than Container automatically creates a new Session with JSESSIONID if this feature is not disabled explicitly by using page directive %@ page session="false" %>. 

Once Session is created Container sends JSESSIONID cookie into response to the client. In case of HTML access, no user session is created. If  client has disabled cookie than Container uses URL rewriting for managing session on which jsessionid is appended into URL as shown below:


When HTTP session is invalidated(), mostly when the user logged off, old JSESSIONID destroyed and a new JSESSIONID is created when the user further login.

How to monitor HTTP request to check JSESSIONID

You can check the value of JSESSIONID coming in as cookie by monitoring HTTP request. If you are running Tomcat Server in NetBeans IDE in your development environment then you can use HTTP Server Monitor to check HTTP requests. You just need to enable it while starting Tomcat Server form Netbeans. After than with each request you can see all details of request headers, session, cookies etc in HTTP Server monitor screen. If you look on JSESSIONID cookie it will look like:

cookie  JSESSIONID=1A530637289A03B07199A44E8D531427

What is JSESSIONID in JSP Servlet HTML web applicationYou can also enable HTTP request and response in Client side by using tools like ethereal or Wireshark. This tool can monitor all HTTP traffic from and to your machine and by looking at request data you can see JSESSIONID cookie and its value.

That's all on What is JSESSIONID and How JSESSIONID is created inside the J2EE application. We have seen that both Servlet and JSP can be responsible for Session creation but its done by Container. you can retrieve the value of SessionID which is represented by JSESSIONID cookie when you call request.getSession(). Session management in web applications is complex topic especially when it comes to clustering and distributed session. On the other hand, JSESSIONID is one of those basics which as J2EE web application developer you should be aware of.

Other JSP and Servlet tutorial from Javarevisited Blog


Anonymous said...

I hardly need someone able to decode a JSessionID to get the 'timeTag' in it (date of connection)
contact ovny29@free.fr in France
urgent and important

Delli said...

How this is handled in cluster mode say if a session is associated with one node and that node is failed then it redirect to other node..is same session is forwarded or

Javin Paul said...

@Delli, Sessions are usually replicated across the cluster it means same session is available to every node.

Javin Paul said...

This is another reason why Session is Serializable and you should not put anything on HttpSession which is not serializable.

Post a Comment