Mohit Singhal

• Jul 31st, 2006

 

The only way to know for sure is to set a cookie on a response, and see if
it comes back on the following request.  You have absolutely no clue from
looking just at the current request.  Just as an example, I run Netscape
6, configured to warn me every time about accepting a cookie -- so you
can't even look at the User-Agent header and predict whether *I* am going
to accept your cookie or not.

This is exactly what the servlet container does for you for session IDs,
as long as you use URL rewriting (done with the response.encodeURL()
method) to create all of your hyperlinks.  The container will send the
initial session id both ways (encoded in the URLs, and as a cookie).  If
the session id comes back later as a cookie, the container recognizes this
and stops doing the rewriting -- otherwise it continues.  But the only
safe thing for your application to do is *always* call encodeURL() to
generate all of your hyperlink destinations that should be part of the
same session.