Session Management

A session contains information specific to a particular user across the whole application and consists of multiple requests and responses between client and server. Since HTTP and Web Server both are stateless(consider each request as a new request), the only way to maintain a session is when we pass some unique information about the session (session-id) between server and client in every request and response.

To maintain the state (data) of a user, we use Session Tracking. In other words, it is referred to as session management in servlet.

Session tracking uses four techniques as following :
  • Cookies are just a piece of information, the webserver sends it in response header and it gets stored in the browser cookies.
  • When a further request is made by the client, it adds the cookie to the request header and we can utilize it to keep track of the session.
  • In addition, there is no method available to remove the cookie, however, we can set the maximum age to 0. In other words, it will be deleted from the client’s browser immediately.
  • It doesn’t work if the client disables cookies.
  • If the cookies are disabled at the client-side and we are using URL rewriting then this method uses the sessionid value from the request URL to find the corresponding session.
  • Types of cookies –
    • The non-persistent cookie is valid for a single session only. Each time the user closes the browser, it is removed.
    • A persistent cookie is valid for multiple sessions. Each time when the user closes the browser, it is not removed. Instead only removed if the user logs out or signs out.
  • Methods available for cookies –
    • addCookie(Cookie c) – It adds cookie in the response object.
    • getCookies() – It returns all the cookies from the browser.
    • setMaxAge(int expiry) – It sets the maximum age of the cookie in seconds.
  • Eg –
    • Cookie ck=new Cookie(“user”,””);  
    • ck.setMaxAge(0);
    • response.addCookie(ck);
    • Cookie ck[]=request.getCookies();  
Hidden Form Field
  • Inside out HTML, we can create a unique hidden field and we can set its value unique to the user when the user starts navigating and keep track of the session.
  • It is not a secure method.
  • However, this approach is better if we want to submit the form in all the pages, but we don’t want to depend on the browser.
  • Eg –
    • <input type=”hidden” name=”name” value=”Ram”>
URL Rewriting
  • With every request and response, we can append a session identifier parameter to keep track of the session.
  • It’s a very easy technique to use as it involves just one step – encoding the URL.
  • It’s a fallback approach and it kicks in only if we disable the browser cookies.
  • We can encode URL with HttpServletResponse encodeURL() and if we have to redirect the request to another resource and we want to provide session information, we can use the encodeRedirectURL() method.
  • Just send the parameters as name/value pairs using the following format: url?name1=value1&name2=value2&??
  • Eg –
    • <a href=’ Servlet?name=” + n + ” ‘> visit </a>
  • HttpSession allows us to set objects as attributes that can be retrieved in future requests.
  • It can perform the below tasks:
    • bind objects
    • view and change information about a session. For instance the session identifier, creation time, or last accessed time.
  • Methods available for HttpSession –
    • HttpSession getSession() –
      • This method always returns a HttpSession object.
      • Attached to the request, it will return the session object. And it creates a new session if the request has no session attached and return it.
    • HttpSession getSession(boolean flag) –
      • If the request has a session, this method will return a HttpSession object.
      • If the request has no session attached, then it returns null.
  • Eg –
    • HttpSession session=request.getSession(false);  
    • String n=(String)session.getAttribute(“name”);