Some [random] precisions:
- You don't need login/logout mechanisms in order to have sessions.
- In java servlets, HTTP sessions are tracked using two mechanisms, HTTP cookie (the most commonly used) or URL rewriting (to support browsers without cookies or with cookies disabled). Using only cookies is simple, you don't have to do anything special. For URL re-writing, you need to modify all URLs pointing back to your servlets/filters.
- Each time you call
request.getSession(true), the HttpRequest object will be inspected in order to find a session ID encoded either in a cookie OR/AND in the URL path parameter (what's following a semi-colon). If the session ID cannot be found, a new session will be created by the servlet container (i.e. the server).
- The session ID is added to the response as a Cookie. If you want to support URL re-writing also, the links in your HTML documents should be modified using the
response.encodeURL() method. Calling request.getSession(false) or simply request.getSession() will return null in the event the session ID is not found or the session ID refers to an invalid session.
- There is a single HTTP session by visit, as Java session cookies are not stored permanently in the browser. So sessions object are not shared between clients. Each user has his own private session.
- Sessions are destroyed automatically if not used for a given time. The time-out value can be configured in the
web.xml file.
- A given session can be explicitly invalidated using the
invalidate() method.
- When people are talking about
JSESSIONID, they are referring to the standard name of the HTTP cookie used to do session-tracking in Java.
