Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-dev] Embedded Jetty default session behaviour

Hi Guillaume,

According to the servlet specification, you are forbidden from sharing sessions between contexts - you may re-use the same session id, but you may _not_ share the same contents so I don't think you should have been sharing the SessionManager in jetty-9.3 it might have worked, but wasn't recommended ;) 

You didn't post the code that showed your contexts/handlers set up: I'm confused as to why you would have more than one SessionHandler in a HandlerList?

In jetty-9.4, the SessionCache is 1:1 with a SessionHandler, and each context has it's own SessionHandler. We go to some trouble to correctly identify a request passing through different contexts with the same session id (but different contents), and make sure that each session instance is correctly handled as the request enters and exits each context. If you try and circumvent that, all kinds of things could happen.  On the other hand, if you don't do any cross-context dispatch, then this is not a problem, but then again you wouldn't be trying to reuse the same session amongst contexts, so I assume you _do_ do cross context dispatch?

So in short, I strongly advise you not to try to circumvent the servlet spec prohibition on sharing session contents as some kind of poor-man's single sign on. Instead, the correct thing to do is to identify the info you want shared, and make that available in each context by other means, maybe even using your own cookie rather than the session cookie to carry your single-sign-on data.

And finally, we've been working on the documentation for jetty-10 and there is a great deal more information available for programming with sessions than before. Even though it is for jetty-10, it is pretty much all applicable for jetty-9.4 too, so I encourage you to have a read of it as it might be helpful to you:


On Wed, 23 Dec 2020 at 12:16, Guillaume Maillard <guillaume.maillard@xxxxxxxxx> wrote:

Switching from 9.3 to 9.4, I'm a bit confused about the default behaviours about sessions.
We are using Jetty as embedded server, very simply using an HandlerList with some SessionHandler subclasses.

On previous versions of Jetty, to be able to use sessions in our case,
we just shared the session manager like that :

final SessionManager sessionManager = new HashSessionManager();
  for (Handler handler : handlerList) {
    if (handler instanceof SessionHandler) {
           ((SessionHandler) handler).setSessionManager(sessionManager);

And used a  HashSessionIdManager like this :
server.setSessionIdManager( new HashSessionIdManager() );

Even if I never understood why the session manager was not common by default,
after reading the 9.4 documentation, it's clear that the new system is a clean approach.
But I see no easy way to share the SessionCache.

I tried a naive approach:

final SessionIdManager sessionManager = new DefaultSessionIdManager(server);
final SessionCache cache = firstHandler.getSessionCache();
for (Handler handler : h.getHandlers()) {
    if (handler instanceof SessionHandler) {
           final SessionHandler sessionHandler = (SessionHandler) handler;
           ((SessionHandler) handler).setSessionCache(cache);

But a Session created from a handler is not shared with an other handler.
I wonder why it's not by default, and would be happy to know how this kind behaviour 
could be configured. I bet I missed a key point.



jetty-dev mailing list
To unsubscribe from this list, visit

Jan Bartel <janb@xxxxxxxxxxx>
Expert assistance from the creators of Jetty and CometD

Back to the top