Methods to Maintain a HTTP Session: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
 
Line 25: Line 25:
=User Authentication=
=User Authentication=


One way to perform session tracking is to leverage the information that comes with user authentication. After the client logs in, the username is available to a servlet through {{getRemoteUser().}} We can use the username to track a client session. Once the user has logged in, the browser remembers her username and resends the name and the password as the user makes new requests. A servlet can identify the user through her user name and thereby track her session.  
One way to perform session tracking is to leverage the information that comes with user authentication. After the client logs in, the username is available to a servlet through <tt>getRemoteUser()</tt>. We can use the username to track a client session. Once the user has logged in, the browser remembers her username and resends the name and the password as the user makes new requests. A servlet can identify the user through her user name and thereby track her session.  


Avantages:
Avantages:
* It is easy to implement, simply tell the server to protect a set of pages and then use {{getRemoteUser()}}.
* It is easy to implement, simply tell the server to protect a set of pages and then use <tt>getRemoteUser()</tt>.
* This techniques works even when the user accesses the site from different machines.
* This techniques works even when the user accesses the site from different machines.
Disadvantages:
Disadvantages:
Line 35: Line 35:
* A user cannot maintain simultaneoulsy more than one session at the same time.
* A user cannot maintain simultaneoulsy more than one session at the same time.


!!3. Hidden Form Fields
=Hidden Form Fields=


One way to support anonymous session tracking is to use hidden form fields:
One way to support anonymous session tracking is to use hidden form fields:
{{{
 
<pre>
     <FORM ACTION="/servlet/MyServlet" METHOD=POST>
     <FORM ACTION="/servlet/MyServlet" METHOD=POST>
         ...
         ...
         <INPUT TYPE=hidden NAME="id" VALUE="34F4E3VKS423">
         <INPUT TYPE=hidden NAME="id" VALUE="34F4E3VKS423">
     </FORM>}}}
     </FORM>
</pre>


The hidden fields are not displayed in the client's browser and they are sent back to the server when the form is submitted. In a sense, the hidden forms define constant variables for a form. To a servlet receiving the form, there is no difference between a hidden field and a visible field.  
The hidden fields are not displayed in the client's browser and they are sent back to the server when the form is submitted. In a sense, the hidden forms define constant variables for a form. To a servlet receiving the form, there is no difference between a hidden field and a visible field.  
Line 52: Line 54:
* The session persist only through sequences of dynamically generated forms. The session cannot be maintained with static documents, emailed documents, bookmarked documents or browser shutdowns.
* The session persist only through sequences of dynamically generated forms. The session cannot be maintained with static documents, emailed documents, bookmarked documents or browser shutdowns.


!!4. URL Rewriting
=URL Rewriting=


URL rewriting is another way to support anonymous session tracking. When the response page is generated on the server, the embedded URLs the user might click on are dynamically modified (or rewritten) to include session information. There are three ways to rewrite an URL:
URL rewriting is another way to support anonymous session tracking. When the response page is generated on the server, the embedded URLs the user might click on are dynamically modified (or rewritten) to include session information. There are three ways to rewrite an URL:


;__1.__ Extra path information.: The extra information, usually an unique session ID, is appended to the URL as extra path:\\{{http://server:port/servlet/MyServlet/__123__}}\\This works well on all servers, but it doesn't work well if the servlet has to use the extra path information as true path information.
==Extra path information==
 
The extra information, usually an unique session ID, is appended to the URL as extra path: <tt>http://server:port/servlet/MyServlet/__123__</tt>. This works well on all servers, but it doesn't work well if the servlet has to use the extra path information as true path information.
 
==Added parameters==
 
The extra information is appended as a parameter part of the query string: <tt>http://server:port/servlet/MyServlet__?sessionID=123__</tt>. This works on all servers, but it can cause parameter naming collisions.  


;__2.__ Added parameters.: The extra information is appended as a parameter part of the query string:\\{{http://server:port/servlet/MyServlet__?sessionID=123__}}\\This works on all servers, but it can cause parameter naming collisions.
==Custom server-specific URL change==


;__3.__ Custom server-specific URL change.: The session information is encoded in URL in a non-standard way:\\{{http://server:port/servlet/MyServlet__;sessionID=123__}}\\This may not work well on all servers.
The session information is encoded in URL in a non-standard way: <tt>http://server:port/servlet/MyServlet__;sessionID=123__</tt>. This may not work well on all servers.


The advantages and disadvantages of URL rewriting closely match those of hidden form fields. The major difference is that URL rewriting works for all dynamically created documents, not just forms.
The advantages and disadvantages of URL rewriting closely match those of hidden form fields. The major difference is that URL rewriting works for all dynamically created documents, not just forms.

Latest revision as of 22:42, 31 May 2016

Internal

Persistent Cookies

Cookies are pieces of information generated by a Web server and stored by the user's browser, ready for future access. When a browser receives a cookie, it saves the cookie and thereafter sends the cookie back to the server it has seen it from each time it accesses a page on that server, subject to certain rules. Because a cookie's value can uniquely identify a client, cookies are often used for session tracking.

The cookies are transferred using HTTP headers and the servlet API has special method calls to help dealing with cookies.

To retrieve the cookies from the request, use: 

public Cookie[] HttpServletRequest.getCookies()

To send cookies, use 

public void HttpServletResponse.addCookie(Cookie cookie)

Because cookies are sent using HTTP headers, they should be added to the response before the response had been committed.

User Authentication

One way to perform session tracking is to leverage the information that comes with user authentication. After the client logs in, the username is available to a servlet through getRemoteUser(). We can use the username to track a client session. Once the user has logged in, the browser remembers her username and resends the name and the password as the user makes new requests. A servlet can identify the user through her user name and thereby track her session.

Avantages:

  • It is easy to implement, simply tell the server to protect a set of pages and then use getRemoteUser().
  • This techniques works even when the user accesses the site from different machines.

Disadvantages:

  • It requires each user to register for an account and then log on each time he starts visting the site.
  • HTTP basic authentication provides no logout mechanism, the user has to exit the browser to log out.
  • A user cannot maintain simultaneoulsy more than one session at the same time.

Hidden Form Fields

One way to support anonymous session tracking is to use hidden form fields: 

    <FORM ACTION="/servlet/MyServlet" METHOD=POST>
        ...
        <INPUT TYPE=hidden NAME="id" VALUE="34F4E3VKS423">
    </FORM>

The hidden fields are not displayed in the client's browser and they are sent back to the server when the form is submitted. In a sense, the hidden forms define constant variables for a form. To a servlet receiving the form, there is no difference between a hidden field and a visible field.

Advantages:

  • Hidden fields are supported by all the popular browsers, they demand no special server requirements.
  • Hidden fields can be used with clients that haven't registered or logged in.

Disadvantages:

  • The session persist only through sequences of dynamically generated forms. The session cannot be maintained with static documents, emailed documents, bookmarked documents or browser shutdowns.

URL Rewriting

URL rewriting is another way to support anonymous session tracking. When the response page is generated on the server, the embedded URLs the user might click on are dynamically modified (or rewritten) to include session information. There are three ways to rewrite an URL:

Extra path information

The extra information, usually an unique session ID, is appended to the URL as extra path: http://server:port/servlet/MyServlet/__123__. This works well on all servers, but it doesn't work well if the servlet has to use the extra path information as true path information.

Added parameters

The extra information is appended as a parameter part of the query string: http://server:port/servlet/MyServlet__?sessionID=123__. This works on all servers, but it can cause parameter naming collisions.

Custom server-specific URL change

The session information is encoded in URL in a non-standard way: http://server:port/servlet/MyServlet__;sessionID=123__. This may not work well on all servers.

The advantages and disadvantages of URL rewriting closely match those of hidden form fields. The major difference is that URL rewriting works for all dynamically created documents, not just forms.

Retrieved from "https://kb.novaordis.com/index.php?title=Methods_to_Maintain_a_HTTP_Session&oldid=9520"