Java Servlet Session Management Example

We all know that HTTP is a stateless protocol i.e. all requests and responses are independent. But sometimes developers need to keep track of the client’s activity across the multiple requests. In this tutorial, we will see how to achieve the Session Management in Servlet Java programming.

1. Introduction

Session tracking or Session management is an important feature of the modern web-applications which allows the server to remember its clients i.e. (it stores the session information for a particular user). By keeping a session for each user, web-server can serve the client better. It helps in safety, security, and personalization which is must for certain kind of web applications. For e.g. E-commerce sites like Amazon or eBay stores the item selected by the user for purchase in a shopping cart, even after the user is logged out.

Since HTTP is a stateless protocol, there are no ways to know that the two HTTP requests are related to each other i.e. they are coming from the same client or they are part of the same process. Session tracking is a mechanism that Servlets and Java Web application uses to maintain the state about a series of request from the same user across some period of time. By keeping a session, an e-commerce site can maintain add to card facility and also keep tracks of how the user interacts with the application. Since HTTP doesn’t provide a default way to track session, there are some non-standard ways to manage the sessions in Servlet JSP based application.

Let’s have a close look at them.

1.1 Types of Session Tracking in Servlet

Since session management needs to work with all web-browsers and even considers the user’s security preference, an identifier i.e. a JSESSIONID is used to keep track of the request coming from the same client during a time duration. There are four main ways to manage the session in java web-application:

  • URL rewriting
  • Cookies
  • Hidden form fields
  • HTTPS and SSL

Let’s see them in more detail.

1.1.1 URL Rewriting

URL rewriting is a method of session tracking in which some extra data (i.e. session id) is appended at the end of each URL. This extra data identifies the session. The server can associate this session identifier with the data it has stored about that session. This method is used with the browsers that do not support the cookies or where the user has disabled the cookies. If developers need to track session from the JSP pages, then developers can use the <c:out> tag for the URL rewriting.

1.1.2 Cookies

A cookie is a small amount of information sent by a servlet to a web-browser. A cookie is saved by the browser and later sent back to the server in the subsequent requests. A cookie has a name, a single value, expiration date, and other optional attributes. A cookie’s value can uniquely identify a client.

Since a client can disable the cookies, this is not the most secure and fool-proof way to manage the session. If cookies are disabled then developers can fall back to the URL rewriting in order to encode the session id e.g. JSESSIOINID into the URL itself.

Fig. 1: Cookies
Fig. 1: Cookies

1.1.3 Hidden Form Fields

This is one of the oldest ways to do the session tracking in a servlet application. In this approach, the server embeds the hidden fields in the form page for the client. When the client submits the form to the server the hidden fields identify the client. Although, this approach is not secure as developers can get the hidden field value from the HTML source and can even use it to hack the session.

1.1.4 Secure Socket Layer (SSL) Sessions

Web browsers that support the Secure Socket Layer communication can use SSL’s support via HTTPS for generating a unique session key as a part of the encrypted conversation. Modern day’s online internet banking website, ticket booking websites, e-commerce retailers like Amazon and eBay use HTTPS to securely transfer the data and manage the session.

That’s all about the different ways to track a session in the Java Web application. A cookie is the most popular way to manage the session with a fallback to URL rewriting when Cookies are not enabled on the client side. While the security sensitive applications e.g. online e-commerce portals like Amazon, Flipkart, eBay, Online banking websites, travel booking websites or any other websites which deal with the sensitive information e.g. personal, financial or professional use SSL and HTTPS to secure transfers and maintain them.

Happy Learning!!

2. Conclusion

In this section, developers learned how to maintain the session between the client and the web server. I hope this article served you with whatever developers are looking for.


An experience full-stack engineer well versed with Core Java, Spring/Springboot, MVC, Security, AOP, Frontend (Angular & React), and cloud technologies (such as AWS, GCP, Jenkins, Docker, K8).
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
Back to top button