Introduction to Servlet Session Management
Servlet Session Management is a mechanism in Java used by Web container to store session information. Session tracking is a way to manage the data of a user, this is known as session management in servlet. Session in Java are managed through different ways, such as, HTTP Session API, Cookies, URL rewriting, etc. Session management or tracking is an important feature of modern websites that allows server to remember clients. Before entering into this topic, session is a conversation between server and client, it contains series of continuous requests and responses.
Why is Session Maintained?
When there are continuous request and responses from same client to server, so the server cannot identify from which client are requests being sent. As HTTP is a Stateless protocol.
Although there is an advantage of being stateless, some requests enforce in maintaining state in order to maintain proper functionality.
Session Management/ Tracking Methods
- User Authorization: It is one way where user provides Username and password or any authentication credentials from login and then these are passed via server and client to maintain the servlet session. It is not much effective as this does not work if same user is logged from different browsers.
- URL rewriting: User can append session identifier parameter with every request and response to keep track of session. It is tedious as user needs to keep track of parameter in each response and to make sure, it does not clash with other parameters.
- Hidden Fields: User has access to create unique field in HTML which is hidden, when user starts navigating, user will be able to set the value uniquely to customer and have track over the session. This method is not used with links as this needs form being submitted each time there is a request made from client to the server with any hidden fields. It is not much secure as user can get this hidden field value from source code and use to hack sessions.
- Session Tracking API: It is built on top of all other Tracking methods. This type of session tracking is used for developers to minimize overhead of session tracking. Major disadvantage is that most of the time, user need not have to track session, but need to store some data in the session that can be used in future requests.
- Cookies: Cookie is a key value pair of information sent by server to browsers. It is the most used technology for session tracking. Cookie is a smallest piece of information sent by the web server in head tag and is stored as browser cookie. When there is a further request, cookies get added to the requested header and can be utilized to keep track of servlet session. If customer disables cookie, servlet session with cookie will not work.
- Two types in Cookies:
- Non-persistent Cookie: It is valid only for single session and is removed each time when browser gets closed.
- Persistent Cookie: It is valid for multiple sessions and is removed only when user logs out but not when browsers get closed.
- HTTP and SSL: Browsers that support Secure Socket Layer communication use SSL support via HTTPS to generate unique session key as part of encrypted conversation. Modern sites like e-commerce, ticket booking, Internet banking, etc., use HTTPs to securely transfer data and manage session.
How to Create New Session Object and Enable?
- Make a new session object.
request.getSession() is the method that creates new session object. Container generates new session ID for present session and sends back to client.
HttpSession session = request.getSession();
- Store information in session object.
Session objects are just hash tables that store user objects and associate user object with keys.
- Look up for information associated with Servlet.
If session already exists, session code tells container to extract ID from cookies. Container uses this ID as key to search table of previously created HttpSession objects. If there is a session found, user can access that session by getAttribute(‘key’) method.
Key Method Used in HTTPSession
- isNew(): Returns true is user does not know about the session. If cookies are disabled, then session is new.
- getId(): Returns string that contains unique identifier that is assigned to this session. Is used while using URL rewriting the session.
- getAttribute(): Returns the object bound in present session.
- setAttribute(): Binds object to present session, uses specified name.
- invalidate(): Expires current session and unbinds the object binded
- setMaxInactiveInterval(): Specifies time between client requests before servlet invalidates session. Negative time indicates session shouldn’t timeout.
With this we shall conclude the topic ‘Servlet session Management’. We have seen what Servlet Session Management means and the types of Session tracking or management methods such as User Authorization, Hidden fields, HTTPS or SSL, URL Rewriting, Cookies, and Session tracking API. We have also seen How to create Session Object and enable it, listed out some methods applicable to session objects. Thanks! Happy Learning!!
This is a guide to Servlet Session Management. Here we also discuss the introduction and why is session maintained? along with key method used in HTTPSession. You may also have a look at the following articles to learn more –