Header Ads

  • Breaking Now

    Session Tracking In Servlets

    As HTTP is a stateless protocol, any interaction between client browser and servlet lasts as long as the browser is connected to server and the moment browser is closed this session is lost,in no way server will know anything about its client,if client access this server again.In applications where keeping a track of end user is must like in an online shopping or online banking applications,keeping a track of session between user and server is a must.In servlets, various mechanisms are suggested for maintaining session between both entities.One of them is through cookies.Cookies are server sent,small bits of text files which are stored in client browser and this is dependent upon whether client browser supports cookies or not.By default these cookies are deleted the moment client-server communication ends but they can persist for a specified period of time by a developer.When the browser access the same site again then already stored cookie in browser is exchanged with server.
    Here is snippet of code, how you set maximum time till a coolie can be alive.

    Cookie cookie = new Cookie ("user", "smart");
    cookie.setMaxAge ( 60 * 60 * 24 * 365 );//setting max age here to one year.

    // Add cookie to response
    response.addCookie (cookie);

    A cookie usually have name/key, value pair kind of information.But providing userId related information in a cookie can be a security risk, where computers are shared by different people.It gives an opportunity to others to sneak into your online resources.It is advisable to set maximum age of a cookie not too long and ideally a minute or two is good from security point of view.The sharing of state during session management should ideally not last long, for any long usage of state information,it should be stored in some persistent area like database.Due to security risks and some browsers which do not support cookies, it may not be an ideal choice if a widespread support is required for servlets from all browsers.

    Other in trend approaches are:
    -URL Rewriting
    -Hidden Form Fields
    -HttpSession object based session management

    In URL rewriting,a URL is appended with some data automatically encoded each time when accessed through client browser.
    If URL-rewriting is supported , it will allow some browsers without cookies support to access the servlet with session tracking. As an example, to encode a reference to a servlet, we could use the following code:

    // HttpServletResponse.encodeUrl adds session data automatically
    response.encodeUrl ( "/servlets/TestServlet" );

    In URL rewriting, every local URL clicked is dynamically modified, or rewritten, to include extra information which can be in the form of extra path information, added parameters, or some custom, server-specific URL change.Usually it is limited to a unique session ID.

    In hidden form fields, the html entry for a field will have attribute 'type' with a value as 'hidden', e.g.:
    <input type ="hidden" name = "name" value="">.

    So in this mechanism whenever the form is submitted, the name,value pair will be appended in get or post methods.It is better to use POST command in order to make sessionId invisible during request submission.

    HttpSession object based session management has already been discussed in details in one of previous posts.


    1. Hi..
      i need a servlet file that gets the username that i entered in login page as session value and if somebody enters using the same name then it shows session already in use.. I am new to Servlet i dont have any idea reagards my pbm.. Please help me

    2. First you have to understand how session management works in Java.When you get HttpSession object on request object of HttpServlet then there are various ways you can do session management, either through URL Rewriting,cookies or Secure Sockets Layer (SSL) information. Here is a snippet with HttpSession object
      // Step 1: Get the Session object
      HttpSession session = request.getSession(true);

      // Step 2: Get the session data value
      String username = (String)
      session.getAttribute ("username");
      if (username == null) {
      //prompt an appropriate message;
      session.setAttribute ("username", username);

      I hope it hepls...

    3. This is what i did before and unfortunately if the user close the browser what happened was it wouldn't allow him to login...

    4. I want to thank the blogger very much not only for this post but also for his all previous efforts. I found www.interviewjava.com to be greatly interesting. I will be coming back to www.interviewjava.com for more information.


    Post Top Ad

    Post Bottom Ad