If you want to use URL rewriting to maintain session state, do not include links to parts of your Web application in plain HTML files. This restriction is necessary because URL encoding cannot be used in plain HTML files. To maintain state using URL rewriting, every page that the user requests during the session must have code that can be understood by the Java interpreter. If you have such plain HTML files in your Web application and portions of the site that the user might access during the session, convert them to JSP files. This will impact the application writer because, unlike maintaining sessions with cookies, maintaining sessions with URL rewriting requires that each JSP template in the application must use URL encoding for every HREF attribute on <A> tags. Sessions will be lost if one or more JSP templates in an application do not call the encodeURL(String url) or encode RedirectURL(String url) methods.
Writing links
With URL rewriting, all links that you return to the browser or redirect must have the session ID appended to them. For example, this link in a Web page:
<a href="store/catalog">
is rewritten as
<a href="store/catalog;$jsessionid$DA32242SSGE2">
When the user clicks this link, the rewritten form of the URL is sent to the server as part of the client's request. The Servlet Engine recognizes ;$jsessionid$DA32242SSGE2 as the session ID and saves it for obtaining the proper HttpSession object for this user.
The following example shows how Java code may be embedded within a JSP file:
<% response.encodeURL ("/store/catalog"); %>
To rewrite the URLs you are returning to the browser, call the encodeURL() method in your JSP template before sending the URL to the output stream. For example, if a JSP template that does not use URL rewriting has:
out.println("<a href=\"/store/catalog\">catalog</a>")"
replace it with:
out.println("<a href=\""); out.println(response.encodeURL ("/store/catalog")); out.println("\">catalog</a>");
To rewrite the URLs you are redirecting, call the encodeRedirctURL() method. For example, if your JSP template has:
response.sendRedirect (response.encodeRedirectURL ("http://myhost/store/catalog"));
The encodeURL() and encodeRedirectURL() methods are part of the HttpServletResponse object. In both cases, these calls check to see if URL rewriting is configured before encoding the URL. If it is not configured, it returns the original URL.
Writing forms
To write forms for submission, call the response.encodeURL("Logon"); on the ACTION tag of the form template. For example,
String strLoginPost = response.encodeURL("Logon"); <FORM NAME="Logon" METHOD="post" ACTION= <%= strLoginPost %> > ... </FORM>
Writing the first page
The entry page, usually the home page, cannot contain frames. If you want to use frames in your store, you can have a non-frame page with a link to the store act as the store's entry page. However, if the store does use frames and a customer tries to access those pages with frames without going through the entry page first, their session may be lost. Customers can also lose their session if they use the Back button (only with frames) to return to the entry page and refresh the entry page. Refreshing the entry page gives them a new session ID. A link back to the entry page as an alternative to the Back button is necessary to help prevent this type of session loss.