2

In a clustered Websphere environment, I retrieve the JSESSIONID of the current HTTP request using the following code:

HttpServletRequest servletRequest = ...;
servletRequest.getSession().getId();

From this code, I get the identifier, something like this: z84d621pxY1VChlK_0eEgFZ.

Then if I check the cookies on my browser, I see that the JSESSIONID contains the above ID but with additional information, e.g. 0000z84d621pxY1VChlK_0eEgFZ:18fjt9t1u

I'm surprized that HttpServletRequest.getSession().getId() does not give me the right identifier.

Note that if I test with Tomcat, I always get the same value.

How should I proceed to get the full JSESSIONID value?

LaurentG
  • 11,128
  • 9
  • 51
  • 66

2 Answers2

4

It gives you the right identifier - the session identifier. The rest of the number are internal WebSphere related parts. WebSphere session cookie consists of 3 parts:

  • epoch number
  • session id
  • clone id

Epoch number (first four digits) are used by web container to make sure that cached session is not stale.

Session ID - is actual session identifier, which allows container to find user session

Clone ID - is used by WebSphere Plugin installed with web server to forward request to the server that holds session data with respect to session affinity.

Why would you need the other parts? They don't identify the session and might change during session lifetime.

UPDATE
You can get full session id using cookie api:

Cookie cookies[] = request.getCookies(); 
 for(int i = 0; i< cookies.length; i++) {
    out.println(cookies[i].getName() + " " +cookies[i].getValue()+  " <br>" );
}
// output:
JSESSIONID 00002ikOjIY63tLqbF-6OF0QxL8:-1
Gas
  • 17,601
  • 4
  • 46
  • 93
  • Thanks for the explanation. The JSESSIONID is sent over JMS to another application which needs to call the web server within the same HTTP session as the browser. I programmatically send an HTTP request and a JSESSIONID cookie with the content I retrieve in the web application. If the JSESSIONID is not the full one, it won't work. – LaurentG Aug 06 '14 at 05:46
  • I haven't found any better solution that to read the JSESSIONID from the cookie. Thanks for the suggestion. – LaurentG Aug 13 '14 at 06:01
1

NoAdditionalSessionInfo=true in websphere custom properties.

Set this value to "true" to force removal of information that is not needed in session identifiers. In WebSphere Application Server base edition,a clone ID of -1 is never used; therefore, a clone ID is not included in base edition when this is set. Also, cache ID is not used with nonpersistent sessions; so the cache ID is not included with nonpersistent sessions when this value is set. Ref:https://www.ibm.com/docs/en/was/9.0.5?topic=tracking-session-management-custom-properties#NoAdditionalSessionInfo

Ant's
  • 11
  • 1