Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-dev] Embedded Jetty default session behaviour


It is kind of strange that all your handlers are extensions of SessionHandler.  It would be far more normal to have your handlers contained within a single SessionHandler.  I think you are currently like this:

    +--> Handler1 extends SessionHandler
    +--> Handler2 extends SessionHandler
    +--> Handler3 extends SessionHandler 

I think you should instead be:

SessionHandler --> HandlerList
                       +--> Handler1 extends AbstractHandler
                       +--> Handler2 extends AbstractHandler
                       +--> Handler3 extends AbstractHandler 

On Wed, 23 Dec 2020 at 16:42, Guillaume Maillard <guillaume.maillard@xxxxxxxxx> wrote:

Thanks for the explanation about non shared context.
For simplicity, we are using Jetty as a basic HTTP server, no servlet are used (or abused :) ) , just Handlers.

Our server setup is closed to the basic one provided as example in the Jetty documentation :

Server server = new Server();
Connector connector = new ServerConnector(server);

HandlerList handlerList = new HandlerList();
  // ... Handler1 / 2 /3 are SessionHandler subclasses 
handlerList.addHandler(new Handler1()); 
handlerList.addHandler(new Handler2());
handlerList.addHandler(new Handler3());    


(I removed the HTTPs and other non relevant configs)

Our handlers are all SessionHandlers because we store data in sessions,
as the javax.servlet documentation specify : "Provides a way to identify a user across more than one page request or visit to a Web site and to store information about that user."

Or maybe is there a way to associate the same context for every SessionHandler?
Or creating a "HandlerList like" begin a subclass of  SessionHandler ?
By  "other means"  , do you mean a singleton map associating Session IDs and data we want to store by session?



Le mer. 23 déc. 2020 à 12:50, Jan Bartel <janb@xxxxxxxxxxx> a écrit :
Hi Guillaume,

According to the servlet specification, you are forbidden from sharing sessions between contexts - you may re-use the same session id, but you may _not_ share the same contents so I don't think you should have been sharing the SessionManager in jetty-9.3 it might have worked, but wasn't recommended ;) 

You didn't post the code that showed your contexts/handlers set up: I'm confused as to why you would have more than one SessionHandler in a HandlerList?

In jetty-9.4, the SessionCache is 1:1 with a SessionHandler, and each context has it's own SessionHandler. We go to some trouble to correctly identify a request passing through different contexts with the same session id (but different contents), and make sure that each session instance is correctly handled as the request enters and exits each context. If you try and circumvent that, all kinds of things could happen.  On the other hand, if you don't do any cross-context dispatch, then this is not a problem, but then again you wouldn't be trying to reuse the same session amongst contexts, so I assume you _do_ do cross context dispatch?

So in short, I strongly advise you not to try to circumvent the servlet spec prohibition on sharing session contents as some kind of poor-man's single sign on. Instead, the correct thing to do is to identify the info you want shared, and make that available in each context by other means, maybe even using your own cookie rather than the session cookie to carry your single-sign-on data.

And finally, we've been working on the documentation for jetty-10 and there is a great deal more information available for programming with sessions than before. Even though it is for jetty-10, it is pretty much all applicable for jetty-9.4 too, so I encourage you to have a read of it as it might be helpful to you:


On Wed, 23 Dec 2020 at 12:16, Guillaume Maillard <guillaume.maillard@xxxxxxxxx> wrote:

Switching from 9.3 to 9.4, I'm a bit confused about the default behaviours about sessions.
We are using Jetty as embedded server, very simply using an HandlerList with some SessionHandler subclasses.

On previous versions of Jetty, to be able to use sessions in our case,
we just shared the session manager like that :

final SessionManager sessionManager = new HashSessionManager();
  for (Handler handler : handlerList) {
    if (handler instanceof SessionHandler) {
           ((SessionHandler) handler).setSessionManager(sessionManager);

And used a  HashSessionIdManager like this :
server.setSessionIdManager( new HashSessionIdManager() );

Even if I never understood why the session manager was not common by default,
after reading the 9.4 documentation, it's clear that the new system is a clean approach.
But I see no easy way to share the SessionCache.

I tried a naive approach:

final SessionIdManager sessionManager = new DefaultSessionIdManager(server);
final SessionCache cache = firstHandler.getSessionCache();
for (Handler handler : h.getHandlers()) {
    if (handler instanceof SessionHandler) {
           final SessionHandler sessionHandler = (SessionHandler) handler;
           ((SessionHandler) handler).setSessionCache(cache);

But a Session created from a handler is not shared with an other handler.
I wonder why it's not by default, and would be happy to know how this kind behaviour 
could be configured. I bet I missed a key point.



jetty-dev mailing list
To unsubscribe from this list, visit

Jan Bartel <janb@xxxxxxxxxxx>
Expert assistance from the creators of Jetty and CometD

jetty-dev mailing list
To unsubscribe from this list, visit
jetty-dev mailing list
To unsubscribe from this list, visit


Back to the top