We all know that
HTTP is a stateless protocol i.e. all requests and responses are independent. But sometimes developers need to keep track of the client’s activity across the multiple requests. In this tutorial, we will see how to achieve the Session Management in Servlet Java programming.
Session tracking or Session management is an important feature of the modern web-applications which allows the server to remember its clients i.e. (it stores the session information for a particular user). By keeping a session for each user, web-server can serve the client better. It helps in safety, security, and personalization which is must for certain kind of web applications. For e.g. E-commerce sites like Amazon or eBay stores the item selected by the user for purchase in a shopping cart, even after the user is logged out.
HTTP is a stateless protocol, there are no ways to know that the two
HTTP requests are related to each other i.e. they are coming from the same client or they are part of the same process. Session tracking is a mechanism that Servlets and Java Web application uses to maintain the state about a series of request from the same user across some period of time. By keeping a session, an e-commerce site can maintain add to card facility and also keep tracks of how the user interacts with the application. Since
HTTP doesn’t provide a default way to track session, there are some non-standard ways to manage the sessions in Servlet JSP based application.
Let’s have a close look at them.
1.1 Types of Session Tracking in Servlet
Since session management needs to work with all web-browsers and even considers the user’s security preference, an identifier i.e. a
JSESSIONID is used to keep track of the request coming from the same client during a time duration. There are four main ways to manage the session in java web-application:
- URL rewriting
- Hidden form fields
- HTTPS and SSL
Let’s see them in more detail.
1.1.1 URL Rewriting
URL rewriting is a method of session tracking in which some extra data (i.e. session id) is appended at the end of each
URL. This extra data identifies the session. The server can associate this session identifier with the data it has stored about that session. This method is used with the browsers that do not support the cookies or where the user has disabled the cookies. If developers need to track session from the JSP pages, then developers can use the
<c:out> tag for the URL rewriting.
A cookie is a small amount of information sent by a servlet to a web-browser. A cookie is saved by the browser and later sent back to the server in the subsequent requests. A cookie has a name, a single value, expiration date, and other optional attributes. A cookie’s value can uniquely identify a client.
Since a client can disable the cookies, this is not the most secure and fool-proof way to manage the session. If cookies are disabled then developers can fall back to the
URL rewriting in order to encode the session id e.g.
JSESSIOINID into the
1.1.3 Hidden Form Fields
This is one of the oldest ways to do the session tracking in a servlet application. In this approach, the server embeds the hidden fields in the form page for the client. When the client submits the form to the server the hidden fields identify the client. Although, this approach is not secure as developers can get the hidden field value from the
HTML source and can even use it to hack the session.
1.1.4 Secure Socket Layer (SSL) Sessions
Web browsers that support the Secure Socket Layer communication can use SSL’s support via HTTPS for generating a unique session key as a part of the encrypted conversation. Modern day’s online internet banking website, ticket booking websites, e-commerce retailers like Amazon and eBay use HTTPS to securely transfer the data and manage the session.
That’s all about the different ways to track a session in the Java Web application. A cookie is the most popular way to manage the session with a fallback to URL rewriting when Cookies are not enabled on the client side. While the security sensitive applications e.g. online e-commerce portals like Amazon, Flipkart, eBay, Online banking websites, travel booking websites or any other websites which deal with the sensitive information e.g. personal, financial or professional use SSL and HTTPS to secure transfers and maintain them.
In this section, developers learned how to maintain the session between the client and the web server. I hope this article served you with whatever developers are looking for.