If the cookies are disabled at client side then we have to use URL-Rewriting.
In this approach,Server can send session information to the client by appending it as part of the URL instead of using set-cookie response header.
HttpServletResponse defines the following methods to append session-id to the URL.
- public String encodeURL(String url)
Returns the URL by appending session-id.
- public String encodeRedirectURL(String url)
Returns the URL by appending session-id.This can be used as argument to sendRedirect() method.
The above two methods will append session-id to the URL iff cookies are disabled.
If cookies are enabled,Without appending session-id the original URL will be returned.
At server side we can identify whether session-id is coming as part of the URL or by the request header cookie by using the following HttpServletRequest interface methods.
public boolean isRequestedSessionIdFromURL()
public boolean isRequestedSessionIdFromCookie()
By using these methods, we can identify underlying session management technique.
Advantage of URL-Rewriting
There is no chance of enabling or disabling URL-Rewriting technique,Hence it is inversely supported.
Limitations of URL-Rewriting
- It is very difficult to rewrite all url’s to append session information.
- URL-Rewriting works only for dynamic documents.
Note:To maintain web application session management more robust, we have to use both cookies & URL-Rewriting together.
Cookies will run the show if they are enabled other wise URL-Rewriting run the show,so that session management always possible.