Introduction to Session Management

A session is a conversation between the server and a client(Browser). A conversation consists series of continuous request and response. It is a mechanism used by the web container to store session information for a particular user.

Why should a session be maintained?

HTTP is a stateless protocol,each request is new for server.When there is a series of continuous request and response from a same client to a server, the server cannot identify from which client it is getting requests.But sometimes in web applications, we should know who the client is and process the request accordingly. For example, a shopping cart application should know who is sending the request to add an item and in which cart the item has to be added or who is sending checkout request so that it can charge the amount to correct client.

When there is a need to maintain the conversational state, session tracking is needed. Session Management is a mechanism used by the web container to store session information for a particular user. Solution for this is when a client makes a request it should introduce itself by providing unique identifier every time. There are several ways through which we can provide unique identifier in request and response.

A session is a conversation between the server and a client(Browser). A conversation consists series of continuous request and response. It is a mechanism used by the web container to store session information for a particular user.

Why should a session be maintained?

HTTP is a stateless protocol,each request is new for server.When there is a series of continuous request and response from a same client to a server, the server cannot identify from which client it is getting requests.But sometimes in web applications, we should know who the client is and process the request accordingly. For example, a shopping cart application should know who is sending the request to add an item and in which cart the item has to be added or who is sending checkout request so that it can charge the amount to correct client.

When there is a need to maintain the conversational state, session tracking is needed. Session Management is a mechanism used by the web container to store session information for a particular user. Solution for this is when a client makes a request it should introduce itself by providing unique identifier every time. There are several ways through which we can provide unique identifier in request and response.



  1. User authorization
  2. Hidden fields
  3. URL rewriting
  4. Cookies
  5. Session tracking API

1. User Authentication

In this user can provide authentication credentials from the login page and then we can pass the authentication information between server and client to maintain the session. This is not very effective method because it wont work if the same user is logged in from different browsers.

2. Hidden Fields

<input type="hidden" name="java" value="servlet">

Hidden fields like the above can be inserted in the web pages and information can be sent to the server for session tracking. These fields are not visible directly to the user, but can be viewed using view source option from the browsers. This type doesn’t need any special configuration from the browser of server and by default available to use for session tracking. This method can’t be used with links because it needs the form to be submitted every time request is made from client to server with the hidden field. Also it’s not secure because we can get the hidden field value from the HTML source and use it to hack the session.

3. URL Rewriting

Original URL: http://localhost:8080/servlet/ServletName

Rewritten URL: http://localhost:8080/servlet/ServletName?sessionid=1234

When a request is made, additional parameter is appended with the url. In general added additional parameter will be session id or sometimes the user id. It will suffice to track the session. Disadvantage is, implementing this type of session tracking is tedious. We need to keep track of the parameter as a chain link until the conversation completes and also should make sure that, the parameter doesn’t clash with other application parameters.

4. Cookies

Cookies are small piece of information that is sent by web server in response header and gets stored in the browser cookies. When client make further request, it adds the cookie to the request header and we can utilize it to keep track of the session.

Creating a new Cookie

Cookie ck = new Cookie("username",name);

Setting lifespan of a Cookie

ck.setMaxAge(30*60);//Setting max age of cookie

Sending Cookies to the client

response.addCookie(ck);

In the above code we added cookie to response object.

Getting Cookies from Client Request

cookie[] cks = request.getCookies();

Session tracking is easy to implement and maintain using the cookies. Disadvantage is that, the users can opt to disable cookies using their browser preferences. In such case, the browser will not save the cookie at client computer and session tracking fails.

5. Session tracking API

Session Management API is built on top of above methods for session tracking. Some of the major disadvantages of all the above methods are:

Most of the time we don’t want to only track the session, we have to store some data into the session that we can use in future requests. This will require a lot of effort if we try to implement this.

All the above methods are not complete in themselves, all of them won’t work in a particular scenario. So we need a solution that can utilize these methods of session tracking to provide session management in all cases. That’s why we need Session Management API and J2EE Servlet technology comes with session management API that we can use.

In the Next article we will discuss all the session management techniques using working example





comments powered by Disqus