Session Management

Session Introduction

  • HTTP is a stateless protocol ,where each request and response both is independent of other web interactions.

  • it is necessary to save state information so that information can be collected from several interactions between a browser and a server. Sessions provide such a mechanism.

  • A new session is created if one does not already exist.

  • It is required to implement session management capabilities that link both the authentication and access control modules commonly available in web applications.

    Approaches to Session-Tracking:-

  1. Session API

  2. URL -rewriting

  3. Cookies

  4. Hidden Form Field

Session API(HttpSession interface)

Java Servlet API provides an interface called HttpSession that can be used to keep track of sessions in the Current servlet context.
Method Description
HttpSession s=request.getSession() This method is use to reterive the current the HttpSession that is associated with user. if session does not exist,then a session can be created by using getSession(true)
boolean b=s.IsNew(); returns the Value true If the new Session ID has been created and has not been sent the client.
s.invalidate() Returns nothing and it is used to destroy the existing session.
long l=s.getCreationTime(); This function returns the time when the session was created in miliseconds.
long l=s.getLastAccessedTime(); This function returns the previous time a request was made with same sessionId.
s.setAttribute("userid",a) Used to set session attribute in session Object.
Object o=s.getAtribute("userid"); Used t reterive the set Attribute value.
Setting Session timeout:
You don't have to use them to get rid of stale (inactive) sessions.
The container can do it for you.
Three ways a session can die:
  1. It times out.
  2. You call invalidate() on the session object.
  3. The application goes down (Crashes or is undeployed).
Configure Session Time out in DD:
<session-timeout>15</session-timeout>//15 min
session.setMaxInactiveInterval(20*60); //20 minute


  • If Client Cookie is disable so Session API fails .
  • If client won't take cookies, you can use URL rewriting as a back up.
  • URL rewriting is a better way to maintain sessions when the browsers don't support cookie So URL rewriting is a better way to maintain sessions
  • Now put the session ID with URL.
  • It likes; jsessionid="0AAB678C99D1E415",
    response.encodeURL ("/WelcomeServlet"); response.encodeRedirectURL ("/WelcomeServlet");
  • Cookies

    What is Cookie?
    • Cookies are small text files that are used by a Web server to keep track of users.
    • A cookie has value in the form of key-value pairs.
    • They are created by the server and sent to the client with the HTTP response headers.
    • javax.servlet.http.Cookie class is used to represent a cookie.

    • To create cookie object:

      Cookie ck = new Cookie("key","value");

    • To add cookie to browser:

      Response.addCookie(ck); // addCookie method takes cookie objects as argument

    • To get cookie:

      Cookie ck[]=request.getCookies();
  • A server can send one or more cookies to the client.

  • A web-browser, which is the client software, is expected to support 20 cookies per host and the size of each cookie can be a maximum of 4 bytes each.

  • Cookie Method Description
    Cookie c=new Cookie("userpref","red"); Creating a cookie Object.
    c.setMaxAge(int); This method is used to specify the maximum amount of time for which the client browser retain the cookie value.
    HttpServletResponse.addCookie(c); To send cookie client.
    Cookie c[]=HttpServletResponse.getCookies. Reterive all cookies.
    c.getName() To reterive cookie name.

    Using Hidden Form Fields

    • Hidden form fields is simplest session tracking techniques.
    • It can be used to keep track of users by placing hidden fields in a form.
    • The values that have been entered in these fields are sent to the server when the user submits the form.
    • For Example:
      <input type="hidden" name="text1" value=20>

    Attributes Types in Servlet

    Request Attributes:-
    • Request Attribute is Object which is associated with request.

    • Attributes mainly use to communicate by servlet to another servlet.

    • Methods of the ServletRequest Interface are accessed by Attributes which are-

      1. setAttribute
      2. getAttribute
      3. getAttributeNames
      4. removeAttribute
    It stores attribute in current(this)request.Between Requests,Attribute are reseted.
    Returns Object which consist the value of the named attribute.
    Return Enumeration which contain the names of the attributes available to this request.
    Removes Attribute from current(this) request.
    Session Attributes
    • When you are creating and maintaining session for a client So it is important to use.

    • If you want to identify the user,to set and get attributes into the session.

    • Session Attribute implement by HttpSession interface which give some methods like:-
    • It is use to create or binds the object with session with specified name.

    • If name of an object is same name so object already bound to the session then object is replaced.
    Returns that object which is bound with specified name to this session.
    Returns names of all the objects bound to this session.
    Remove that object which is bound with specified name to this session.
    Context Attributes:-
    A servlet binds an object attribute into the context by name which is available to another servletand part of same Web Application.
    1. setAttribute
    2. getAttribute
    3. getAttributeNames
    4. removeAttribute

    Create and bind an object to a given attribute name in this servlet context.
    Returns the attribute of Servlet Container with the given name.
    Returns the attribute names available within this servlet context.
    Removes the attribute from the servlet context with the given name .