Here's the scenario: Single page app (AJAX-based), in an environment that disallows cookies, but still requires sessions, and Tomcat (or JBoss) in the back-end.
What's the best and easiest way to still have the back-end container (Tomcat) manage sessions?
Do I simply need to append JSESSIONID=SESSION_ID_GOES_HERE to every AJAX request I make, and is that enough for Tomcat to pick-up the session?
Yes, exactly, if you can't use cookies you can achive the same appeding the JSessionid between calls to the server. It's called URL Rewriting.
You must append the jsessionid to the links returned to the browser, this way, the browser will send its subsequent call to the server with the same jsessionid. But to do it, you should use the methods of the response parameter of the servlet: encodeURl() and setRedirect() so that it attaches de JSessionId properly (if it's really needed).
For example, if you've the following link in your servlet/jsp:
out.println("<a href=\"/mycontext/newpage\">Next Page<a>");
You should write it:
out.println("<a href=\"");
out.println(response.encodeURL ("/mycontext/newpage"));
out.println("\">Next Page</a>");
It will authomatically attach the JSessionId if it's needed (if cookies are disabled for example).
The same way, if you just need to send a redirect, you should:
response.sendRedirect (response.encodeRedirectURL
("http://myhost/mycontext/newpage"));
For more information look at the JDK API for HttpServletResponse.
