Configuring Cookie based session tracking

If you decide to use Cookies for session tracking then you can configure that behavior by clicking on Enable cookies hot link, you will get a screen like this

  1. Cookie Name: As per Servlet specification 2.4 the cookie name should be JSESSIONID. But you can change the cookie name

  2. Restrict cookies to HTTP Session: Enabling this feature restricts the exchange of cookies only to HTTPS sessions.

  3. Cookie maximum age: The amount of time that the cookie will live in the client browser. There are two choices:

    • Expire at the end of the current browser session

    • Expire at a configurable maximum age

    • If you choose the maximum age option, specify the age in seconds.

In addition to that there are two more properties that you can configure Cookie Domain and Cookie Path, Before we talk about that we will have to cover how the cookies work, When user makes a request to the server for the first time, server will generate a HTTP Session and return that cookie to the browser. After that whenever browser is making request to server it includes that cookie in header so that server can find out the user based on that cookie. The way cookies work in browsers is that you can limit the requests to which browser will forward the cookie Ex. lets say your environment you have and, and you configured your cookie domain to Now if you go to server will generate cookie and send it to browser. Now if your browser is sending next request to it will check the domain of request if it is it wont include the cookie and that way server wont have any way of knowing that this request is coming from user1.

Same thing applies to cookie path, you can configure the path to say to say dynamic so that browser will include cookie when making request to but not when you make request to or

No comments: