Servlet Session Tracking API: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 18: Line 18:
Both unauthenticated users and authenticated users can maintain sessions.
Both unauthenticated users and authenticated users can maintain sessions.


=Session Lifecycle=


When a user first accesses a web application, that user is assigned a new <tt>javax.servlet.http.HttpSession</tt> object and a unique session ID. The session ID identifies the user and it is used to match the user with <tt>HttpSession</tt> object in subsequent requests. <tt>HttpSession</tt> provides a way to identify a user across more than one page request or visit to a Web site and to store information about that user. The servlet container uses this interface to create a session between an HTTP client and an HTTP server. The session persists for a specified time period, across more than one connection or page request from the user. A session usually corresponds to one user, who may visit a site many times.


When a user first accesses a web application, that user is assigned a new {{javax.servlet.http.HttpSession}} object and a unique session ID. The session ID identifies the user and it is used to match the user with {{HttpSession}} object in subsequent requests. {{HttpSession}} provides a way to identify a user across more than one page request or visit to a Web site and to store information about that user. The servlet container uses this interface to create a session between an HTTP client and an HTTP server. The session persists for a specified time period, across more than one connection or page request from the user. A session usually corresponds to one user, who may visit a site many times.
Behind the scenes, the session ID is usually saved on the client in a cookie called JSESSIONID. For clients that don't support cookies, the session ID can be sent as part of a rewritten URL, encoded using a <tt>jsessionid</tt? parameter, e.g. <tt>http://server.com/servlet/MyServlet__;jsessionid=123__?item=1234</tt>. Other implementations using SSL are also possible.  


Behind the scenes, the session ID is usually saved on the client in a cookie called JSESSIONID. For clients that don't support cookies, the session ID can be sent as part of a rewritten URL, encoded using a {{jsessionid}} parameter, e.g. {{http://server.com/servlet/MyServlet__;jsessionid=123__?item=1234}}. Other implementations using SSL are also possible.  
The programmer can get the <tt>HttpSession</tt> associated with an user from inside the servlet using <tt>getSession()</tt> method.  


The programmer can get the {{HttpSession}} associated with an user from inside the servlet using {{getSession()}} method.  
The programmer then can save any set of arbitrary Java objects in a session object (the only limitation is that the saved objects must be <tt>Serializable</tt>). To add data to the session, use


The programmer then can save any set of arbitrary Java objects in a session object (the only limitation is that the saved objects must be {{Serializable}}). To add data to the session, use {{public void HttpSession.setAttribute(String name, Object value)}}. To retrieve data from a session use {{public Object HttpSession.getAttribute(String name)}}.
<pre>
public void HttpSession.setAttribute(String name, Object value)
</pre>
 
To retrieve data from a session use
 
<pre>
public Object HttpSession.getAttribute(String name)
</pre>

Revision as of 22:56, 31 May 2016

Internal

Overview

The servlet API provides facilities that help the developer to track the servlet's session. Servlets have built-in session tracking. The level of support, however, depends on the web server. Most servers support session tracking through the use of persistent cookies, and when the client doesn't accept cookies, the servers could revert to URL rewriting.

JBossWeb and Tomcat manage HTTP sessions for web applications.

Establishing a Session

To ensure that a session is properly maintained, the getSession() method must be called at least once before committing the response. Sessions are not created automatically, unless we invoke HttpServletRequest.getSession(), which is equivalent with HttpServletRequest.getSession(true).

Authentication and Session

Both unauthenticated users and authenticated users can maintain sessions.

Session Lifecycle

When a user first accesses a web application, that user is assigned a new javax.servlet.http.HttpSession object and a unique session ID. The session ID identifies the user and it is used to match the user with HttpSession object in subsequent requests. HttpSession provides a way to identify a user across more than one page request or visit to a Web site and to store information about that user. The servlet container uses this interface to create a session between an HTTP client and an HTTP server. The session persists for a specified time period, across more than one connection or page request from the user. A session usually corresponds to one user, who may visit a site many times.

Behind the scenes, the session ID is usually saved on the client in a cookie called JSESSIONID. For clients that don't support cookies, the session ID can be sent as part of a rewritten URL, encoded using a jsessionid</tt? parameter, e.g. http://server.com/servlet/MyServlet__;jsessionid=123__?item=1234. Other implementations using SSL are also possible.

The programmer can get the HttpSession associated with an user from inside the servlet using getSession() method.

The programmer then can save any set of arbitrary Java objects in a session object (the only limitation is that the saved objects must be Serializable). To add data to the session, use 

public void HttpSession.setAttribute(String name, Object value)

To retrieve data from a session use 

public Object HttpSession.getAttribute(String name)
Retrieved from "https://kb.novaordis.com/index.php?title=Servlet_Session_Tracking_API&oldid=9528"