How the creation of HTTPSession works when request is coming from webserver instead of web browser?

Question

I have a very basic question how the creation of HTTPSession works.I know you folks will fire me on looking at this question as similar kind of questions exist.But there is reas

Answer 1

I think this is what you are looking for :

By default session tracking happens by cookies. WebServer sends the session id to the browser in the form of cookie. And, the browser send the cookie having session id for the subsequent requests.

How does the browser identifies which cookies to send for a link/request? It is based on the these parameters. If the request matches these paramters the browser sends that particular cookie:

1. Domain: The domain name to which the request is made. Verify in your case if the domain name is same for two instances
2. Path: If the path name is same. Web Server send the context root as the path , requests under same context root share cookies.
3. Secure: Server sends if the given cookie is secure or not. Meaning, if the cookie can be sent on non-secure channel.

These parameters will let the browser to send the cookies to the server. And because the same cookie is sent for both the instances you are having. I think the session id is being shared.

If the request propeties such as Request URI, domain and path(i.e, context root) are same between requests, there is no way to tell the browser to use different cookies.

You have some options below:

1. Use different domain names.
2. Use different context roots.
3. Have a LB in front of two nodes and redirect to the correct node based on Session id