By Date:	<-- -->
By Thread:	<-- -->
How does Tomcat detect whether a browser accepts cookies

From: "GB Developer" <gb1071nx (at) globallyboundless.com>
Date: Thu, 22 Jun 2006 14:09:23 -0500
Just because it's fun to have that one last kick at the dead horse...

You really can't rely on any cookie being set, can you?  I mean most users
are simply not this savvy (or stupid, depending on how you feel about it),
but I can set my browser to prompt for every cookie, and I as the (idiot?)
user can reject the session cookie, and then accept every other cookie. Or,
I can accept the session cookie (because it's a *session* cookie, the kind
that disappear), and reject all others. In fact, doesn't one of them there
browsers have a setting like that, to automatically accept session cookies,
but prompt for the other ones?
 
So no, I don't think you can reliably use isRequestedSessionIdFromCookie to
tell whether or not a client "accepts cookies".  Not all cookies are alike.


> -----Original Message-----
> From: Pid [mailto:p (at) pidster.com] 
> Sent: Thursday, June 22, 2006 12:50 PM
> To: Tomcat Users List
> Subject: Re: How does Tomcat detect whether a browser accepts cookies
> 
> 
> You could use the session id location as an indicator, 
> assuming there's a session already.
> 
>  if (hreq.isRequestedSessionIdFromCookie()) {
> 	// we're good, do whatever
>  }
>  else {
> 	// no cookies, begone!
>  }
> 
> if your initial point of contact does a single instant 
> redirect to the detector, then Tomcat should sort out the 
> session location by the time you need to detect it.
> 
>  servlet1(redirect) > servet2(detect)
> 
> this is the same as was suggested before, but at least you 
> don't have to write your own cookie addition/detection routine.
> 
> 
> 
> Garey Mills wrote:
> > David -
> > 
> > 	Thanks for the clear, concise answer.
> > 
> > Garey Mills
> > Library Systems Office
> > UC Berkeley
> > 
> > The brain is not where you think
> > 
> > On Wed, 21 Jun 2006, David Smith wrote:
> > 
> >> On first response, Tomcat both set's a cookie JSESSIONID 
> and appends 
> >> the
> >> same to the page links (when properly coded). If the 
> cookie comes back 
> >> on the next request, url rewriting is dropped in favor of 
> the cookie. No 
> >> magic, tomcat just covers all it's bases up front.
> >>
> >> See HttpServletResponse.encodeURL(String) in the servlet spec for 
> >> more info.
> >>
> >> -- David
> >>
> >> Garey Mills wrote:
> >>> David -
> >>>
> >>> 	Tomcat uses cookies to establish a session with the 
> browser. If it 
> >>> can't use cookies, it uses URL rewriting. So whenever 
> someone uses 
> >>> my app, Tomcat tries to set a cookie.
> >>>
> >>> 	If it was the case that Tomcat didn't know whether the browser 
> >>> accepted cookies until after it tried to set one at the first 
> >>> access, users of browsers that did not accept cookies 
> would not have 
> >>> a session that recorded their first access. I don't think 
> that would 
> >>> be considered acceptable, so I assume that Tomcat knows, 
> before my 
> >>> app is reached, whether the browser accepts cookies. But is my 
> >>> assumption correct, I don't know. That is what I am asking.
> >>>
> >>>
> >>> 	
> >>>
> >>> Garey Mills
> >>> Library Systems Office
> >>> UC Berkeley
> >>>
> >>> The brain is not where you think
> >>>
> >>> On Wed, 21 Jun 2006, David Kerber wrote:
> >>>
> >>>   
> >>>> Why would it try until your app tells it to?  AFAIK (admittedly, 
> >>>> not
> >>>> very far; I don't use cookies)  think it needs to be 
> handled by your app.
> >>>>
> >>>>
> >>>> Garey Mills wrote:
> >>>>
> >>>>     
> >>>>> David -
> >>>>>
> >>>>> 	Well, okay then, but how can my app find out 
> what Tomcat knows 
> >>>>> about whether the browser accepts cookies or not? And when does 
> >>>>> Tomcat try? Before control is passed to my app?
> >>>>>
> >>>>> Garey Mills
> >>>>> Library Systems Office
> >>>>> UC Berkeley
> >>>>>
> >>>>> The brain is not where you think
> >>>>>
> >>>>> On Wed, 21 Jun 2006, David Kerber wrote:
> >>>>>
> >>>>>  
> >>>>>
> >>>>>       
> >>>>>> I think what he's getting at is that Tomcat (or any other web 
> >>>>>> server)
> >>>>>> cannot tell how a browser is set wrt cookies without 
> trying to set one 
> >>>>>> and then seeing if it's there.
> >>>>>>
> >>>>>> Garey Mills wrote:
> >>>>>>
> >>>>>>    
> >>>>>>
> >>>>>>         
> >>>>>>> Martin -
> >>>>>>>
> >>>>>>> 	I guess I'm being obtuse, but WHAT won't work? 
> What I want to 
> >>>>>>> know is how Tomcat detects whether the browser 
> accepts cookies, 
> >>>>>>> that is, whether it is set to accept cookies or not?
> >>>>>>>
> >>>>>>> Garey Mills
> >>>>>>> Library Systems Office
> >>>>>>> UC Berkeley
> >>>>>>>
> >>>>>>> The brain is not where you think
> >>>>>>>
> >>>>>>> On Wed, 21 Jun 2006, Martin Gainty wrote:
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>      
> >>>>>>>
> >>>>>>>           
> >>>>>>>> Garey-
> >>>>>>>>
> >>>>>>>> Unfortunately that wont work if your Browser 
> disallows cookies 
> >>>>>>>> If its IE Check out the IE options-
> >>>>>>>>
> >>>>>>>> Tools
> >>>>>>>> Internet Options
> >>>>>>>> Privacy
> >>>>>>>> Advanced
> >>>>>>>> look at "switched on Always allow Session Cookies"
> >>>>>>>>
> >>>>>>>> HTH,
> >>>>>>>>
> >>>>>>>> Martin --
> >>>>>>>> 
> ***************************************************************
> >>>>>>>> ******
> >>>>>>>> This email message and any files transmitted with it 
> contain confidential
> >>>>>>>> information intended only for the person(s) to whom 
> this email message is
> >>>>>>>> addressed.  If you have received this email message 
> in error, please notify
> >>>>>>>> the sender immediately by telephone or email and 
> destroy the original
> >>>>>>>> message without making a copy.  Thank you.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> ----- Original Message -----
> >>>>>>>> From: "Garey Mills" <gmills (at) library.berkeley.edu>
> >>>>>>>> To: "Tomcat Users List" <users (at) tomcat.apache.org>
> >>>>>>>> Sent: Wednesday, June 21, 2006 12:50 PM
> >>>>>>>> Subject: Re: How does Tomcat detect whether a 
> browser accepts cookies
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>   
> >>>>>>>>
> >>>>>>>>        
> >>>>>>>>
> >>>>>>>>             
> >>>>>>>>> Leon -
> >>>>>>>>>
> >>>>>>>>> Thank you for your response, but I don't understand 
> it. I have 
> >>>>>>>>> a key question:
> >>>>>>>>>
> >>>>>>>>> how does Tomcat detect that a browser does not 
> accept cookies?
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> There are a number of different ways to detect it inside my 
> >>>>>>>>> application, but all of them seem to need a 
> roundtrip to the 
> >>>>>>>>> browser. If, as I suspect, Tomcat can tell without the 
> >>>>>>>>> redirect, I would like to use Tomcat's knowledge. If Tomcat 
> >>>>>>>>> uses a roundtrip, I would still like to use Tomcat's 
> >>>>>>>>> knowledge, so that I don't have to duplicate the 
> work inside 
> >>>>>>>>> my app.
> >>>>>>>>>
> >>>>>>>>> Garey Mills
> >>>>>>>>> Library Systems Office
> >>>>>>>>> UC Berkeley
> >>>>>>>>>
> >>>>>>>>> The brain is not where you think
> >>>>>>>>>
> >>>>>>>>> On Wed, 21 Jun 2006, Leon Rosenberg wrote:
> >>>>>>>>>
> >>>>>>>>>     
> >>>>>>>>>
> >>>>>>>>>          
> >>>>>>>>>
> >>>>>>>>>               
> >>>>>>>>>> You could check for your cookie in first request 
> and if not 
> >>>>>>>>>> present just set the cookie in the  request and 
> redirect to 
> >>>>>>>>>> another page which reads  the cookie (btw, it can also be 
> >>>>>>>>>> done with javascript without user-visible-reload). The 
> >>>>>>>>>> difference to your approach that each user will be 
> redirected 
> >>>>>>>>>> exactly once, since you are checking for your 
> cookie in first 
> >>>>>>>>>> request and it should remain persistent for next visits.
> >>>>>>>>>>
> >>>>>>>>>> regards
> >>>>>>>>>> Leon
> >>>>>>>>>>
> >>>>>>>>>> On 6/21/06, Garey Mills 
> <gmills (at) library.berkeley.edu> wrote:
> >>>>>>>>>>       
> >>>>>>>>>>
> >>>>>>>>>>            
> >>>>>>>>>>
> >>>>>>>>>>                 
> >>>>>>>>>>> Hi -
> >>>>>>>>>>>
> >>>>>>>>>>>       I have an application that does not work correctly 
> >>>>>>>>>>> when the browser does not accept cookies. I added 
> some code 
> >>>>>>>>>>> that rewrites the query string the first time the app is 
> >>>>>>>>>>> entered to include a new parameter and then 
> redirects to the 
> >>>>>>>>>>> app. I watch for that parameter and if I find it I check 
> >>>>>>>>>>> whether the session id is from a cookie. If it 
> isn't I put 
> >>>>>>>>>>> up a "Sorry, you need cookies message" and exit.
> >>>>>>>>>>>
> >>>>>>>>>>>       This solution is not optimal, since I am seeing a 
> >>>>>>>>>>> blank page the first time I try to get into the 
> application.
> >>>>>>>>>>>
> >>>>>>>>>>>       So my question is: Tomcat must ascertain 
> whether the 
> >>>>>>>>>>> browser accepts cookies in order to decide whether to use 
> >>>>>>>>>>> cookies or URL rewriting. How does it do it? and 
> can I check 
> >>>>>>>>>>> Tomcat to find out, too?
> >>>>>>>>>>>
> >>>>>>>>>>> Garey Mills
> >>>>>>>>>>> Library Systems Office
> >>>>>>>>>>> UC Berkeley
> >>>>>>>>>>>
> >>>>>>>>>>> The brain is not where you think
> >>>>>>>>>>>              
> >>>>>>>>>>>
> >>>>>>>>>>>                   
> >>>> 
> -------------------------------------------------------------------
> >>>> --
> >>>> To start a new topic, e-mail: users (at) tomcat.apache.org
> >>>> To unsubscribe, e-mail: users-unsubscribe (at) tomcat.apache.org
> >>>> For additional commands, e-mail: users-help (at) tomcat.apache.org
> >>>>
> >>>>
> >>>>     
> >>>
> >>> 
> --------------------------------------------------------------------
> >>> -
> >>> To start a new topic, e-mail: users (at) tomcat.apache.org
> >>> To unsubscribe, e-mail: users-unsubscribe (at) tomcat.apache.org
> >>> For additional commands, e-mail: users-help (at) tomcat.apache.org
> >>>
> >>>   
> >>
> >> 
> ---------------------------------------------------------------------
> >> To start a new topic, e-mail: users (at) tomcat.apache.org
> >> To unsubscribe, e-mail: users-unsubscribe (at) tomcat.apache.org
> >> For additional commands, e-mail: users-help (at) tomcat.apache.org
> >>
> >>
> > 
> > 
> > 
> ---------------------------------------------------------------------
> > To start a new topic, e-mail: users (at) tomcat.apache.org
> > To unsubscribe, e-mail: users-unsubscribe (at) tomcat.apache.org
> > For additional commands, e-mail: users-help (at) tomcat.apache.org
> > 
> > 
> > 
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users (at) tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe (at) tomcat.apache.org
> For additional commands, e-mail: users-help (at) tomcat.apache.org
> 
> 


---------------------------------------------------------------------
To start a new topic, e-mail: users (at) tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe (at) tomcat.apache.org
For additional commands, e-mail: users-help (at) tomcat.apache.org
References:
- How does Tomcat detect whether a browser accepts cookies
  - From: Pid <p (at) pidster.com>
Prev by Date: looking for memory profiler or dump analyzer for production use
Next by Date: Retrieving List<MyType> from a request/session attribute
Previous by thread: How does Tomcat detect whether a browser accepts cookies
Next by thread: Calling URL in same web app to get resulting HTML?
Index(es):
- Main
- Thread