Header Ads

  • Breaking Now

    Session Tracking In Servlets

    As HTTP is a stateless protocol, any interaction between client browser and servlet lasts as long as the browser is connected to server and the moment browser is closed this session is lost,in no way server will know anything about its client,if client access this server again.In applications where keeping a track of end user is must like in an online shopping or online banking applications,keeping a track of session between user and server is a must.In servlets, various mechanisms are suggested for maintaining session between both entities.One of them is through cookies.Cookies are server sent,small bits of text files which are stored in client browser and this is dependent upon whether client browser supports cookies or not.By default these cookies are deleted the moment client-server communication ends but they can persist for a specified period of time by a developer.When the browser access the same site again then already stored cookie in browser is exchanged with server.
    Here is snippet of code, how you set maximum time till a coolie can be alive.

    Cookie cookie = new Cookie ("user", "smart");
    cookie.setMaxAge ( 60 * 60 * 24 * 365 );//setting max age here to one year.

    // Add cookie to response
    response.addCookie (cookie);

    A cookie usually have name/key, value pair kind of information.But providing userId related information in a cookie can be a security risk, where computers are shared by different people.It gives an opportunity to others to sneak into your online resources.It is advisable to set maximum age of a cookie not too long and ideally a minute or two is good from security point of view.The sharing of state during session management should ideally not last long, for any long usage of state information,it should be stored in some persistent area like database.Due to security risks and some browsers which do not support cookies, it may not be an ideal choice if a widespread support is required for servlets from all browsers.

    Other in trend approaches are:
    -URL Rewriting
    -Hidden Form Fields
    -HttpSession object based session management

    In URL rewriting,a URL is appended with some data automatically encoded each time when accessed through client browser.
    If URL-rewriting is supported , it will allow some browsers without cookies support to access the servlet with session tracking. As an example, to encode a reference to a servlet, we could use the following code:

    // HttpServletResponse.encodeUrl adds session data automatically
    response.encodeUrl ( "/servlets/TestServlet" );

    In URL rewriting, every local URL clicked is dynamically modified, or rewritten, to include extra information which can be in the form of extra path information, added parameters, or some custom, server-specific URL change.Usually it is limited to a unique session ID.

    In hidden form fields, the html entry for a field will have attribute 'type' with a value as 'hidden', e.g.:
    <input type ="hidden" name = "name" value="">.

    So in this mechanism whenever the form is submitted, the name,value pair will be appended in get or post methods.It is better to use POST command in order to make sessionId invisible during request submission.

    HttpSession object based session management has already been discussed in details in one of previous posts.

    Post Top Ad

    Post Bottom Ad