sharing sessions between PHP and JSP?

[stndn]

at work, we have some web pages written in JSP and a few others written in PHP (we're in process of migrating them)

Right now we have user login sessions implemented in JSP (done by another team) and PHP (done by our team).

I'm not sure how JSP or PHP store their session information, but can they be shared between one another?

What we're trying to accomplish is that, whenever a user login (through a PHP page), we want to save the session information (userid, login time, etc) and use the same information when accessing JSP pages as well.

Is there a way to do that, or are they automatically compatible with each other?

Thanks.

 

[Beau]

You could store session information in a database, rather than relying on cookies, then pass the session ID through a querystring at the end of your page addresses.

 

[stndn]

hmmm... but the problem is, is the session ID for JSP going to be the same for PHP?
ie: can both JSP and PHP read DSSDWER23342DD2323 (i made those up) and know that it's the login session the user A?

(sorry if i seem very lost -- i'm just starting to work with sessions)

thanks.

 

[kamper]

php and jsp will each store session ids in cookies. This is generated by the respective environments and not compatible. With jsp you have the option of setting a request parameter called jsessionid (either by url or hidden field) which the container will look for and use before cookies. I'm not aware of any such option in php.

In php, then you can more or less ignore the session id and just use the $_SESSION variable to store info that will persist between user sessions. In jsp it will be the session object. Since you will invariably want to store info about the user session in between requests you have two options (as I see it) for passing info back and forth between the two languages. You can use a database, which will allow for more complex storage, or request parameters (which would be difficult to manage and you could only pass a few variables back and forth anyway, and it would be insecure).

If it were me I would store all relevant session information in the database and identify it with some unique key. Then use the normal session management of the two languages to store that key. For instance, if you login in at a php page you create a session in the db and record the key. Then, if you want to send the user to a jsp page and keep their login you send that key to the client either in hidden fields, the url or a cookie. The jsp page picks up the key and finds the session info in the database. It can also store that key in it's session object for easy reference next time.

The management of user logout would be a little tricky because you have to go and manually remove the session from the db. You won't want to leave it there indefinitely because the user could close their browser and you'd never know so you'll need a timeout. Then, for each request, you'll have to make sure that the session is still valid (and hasn't been removed by the other language).

With something like this you probably have very little chance of integrating existing systems written in either language as you pretty much have to reimplement much of the session management that is already provided for you with either tool. If you're writing both sides from scratch this would certainly be possible but wouldn't it just be easier to pick one language and use it for everything?

 

[stndn]

Whoa, thanks for the information, kamper. Learned something new today -)

It's not like we don't want to rebuild everything from scracth and stick with one language. The problem is that we're still in the process of migrating from JSP to PHP while adding new features in PHP at the same time. Personally i'd rather redo everything in PHP and go ahead with single language, but i'm just a slave in a company ....

Anyways, i can see where you're going with managing the timeout and logout functions. I also know there will be a lot of overheads for checking if a session is still valid and what not... But with the information you gave, we might have better idea on how to approach this mess and think ahead of how the different languages will communicate with each other.

Thanks again.


and oh, btw ... 127.0.0.1 is localhost, not home ..
try ${HOME} next time ,p
(i know you know that, but i just thought i'd point it out ,D)

 

[eklass]

not sure if this was completely mentioned/clarified, but i'll repeat it cause i don't feel like reading other posts

although php typically uses a cookie to store the session id, don't confuse this with the actual session data. that is stored on the server. also, there is an option in php.ini (and which i think can be set on a per-script basis with predefined function) to only use cookies. there may be an option to _NOT_ use cookies *not sure* which means that PHP will auto-rewite URLS and forms

just my 2 red

 

[kamper]

Here would be the places to start for documentation on session handling in either, in case you haven't seen them yet:
php
servlet
jsp

The java ones are from tomcat, I assume they are generic and will apply to whatever container you are using, so long as it implements the same version of the api. The servlet docs contain the HttpSession object.

 

[kamper]

Check out phpbb if you have the patience to read their source code. Last time I looked in it they had their session data completely stored in the database and they store the session id in the url manually (I believe this is so that clients are not required to support cookies in order to login). For each request they grab the session id and load the info from the db. They also must generate their own ids for this.

Php will not rewrite urls or change forms for you. A server side language simply cannot do that (consider the possibility of changing a form's target using javascript on the client-side). If you want to avoid cookies you must micro-manage passing the id around by yourself. If your page generation is abstracted nicely that might not be too hard to do but it's a real pita.