Session

Management in JSP
Objectives
Understand fully the concept of sessions in web development. Track user data using sessions. Learn how to set and get session data

Hypertext Transfer Protocol is stateless. This means to say that a client running a web browser must always establish a new connection to a web server to have a consistent link between a client running the web browser and the web server (via HTTP post or get method). Therefore, a single HTTP get or post operation become unreliable for a web server on transactions needing more than a single HTTP get or post operation. The act of keeping track of users as they move around a website is known as session tracking. For example, once a user has been authenticated to the web server, the users next HTTP operation either post or get should not cause the web server to ask for the users account and password again. Session management is the technique used by the web developer to make stateless HTTP protocol support session state. The session information is stored on the web server using the session identifier (SESSION ID) generated as a result of the first request from the end user running a web browser. These SESSION IDs and their corresponding data are stored in the web servers local memory, flat files or database.

JSP Sessions
Each visitor of a web site is associated with a session object. As mentioned above, a session is a storage where we put data into it and retrieve this data from it, much like a Hash table. Each visitor will have a different set of data.

Session Methods
Method removeAttribute(String name) setAttribute(String name, Object value) Description Remove the attribute and value from the session Set the object to the named attribute. This method is used to write an attribute and value to the session. Used to return the session created time. The returned time value would be in Example session.removeAttribute(user); session.setAttribute(userid, uAAxd);

getCreationTime()

session.getCreationTime()

getLastAccessedTime()

getID()

invalidate()

getMaxInactiveInterval()

setMaxInactiveInterval()

milliseconds, the time value is midnight January 1, 1970 GMT Return the latest time of the client request associated with the session. By using this method, it is possible to determine the last time the session was accessed before the current request. The returned time value would be in milliseconds and the time values is since midnight January 1, 1970 This method is used to return the unique identifier associated with the session Used to discard the session and releases any objects stored as attributes. This methods helps to reduce memory overhead and achieves improvement in performance. Return the maximum amount of time interval in seconds that the servlet container will keep this session open between client accesses. This returns the maximum amount of time that a session can be inactive before it is deleted. Set the timeout explicitly for each session. A user can use this method to set the default timeout

session.getLastAccessedTime();

session.getID();

session.invalidate();

session.getMaxInactiveInterval();

Session.setMaxInactiveInterval(600) //in seconds

How Java Keeps Track of Sessions

CLIENT BROWSER BROWSER BROWSER

jsessionid=EB573E..

jsessionid=EBE573..

SERVER BROWSER BROWSER BROWSER

First HTTP Request: The browser requests a JSP. The servlet engine creates a session object and assigns an ID for the session

First HTTP Response: The server returns the requested page and the ID for the session.

Following HTTP Request: The browser requests a JSP. The servlet engine uses the session ID to associate the browser with this session object.

The figure above shows how the servlet API keeps track of sessions. (servlet is a Java programming language class used to extend the capabilities of a server that host applications accessed via request-response programming model commonly used to extend the applications hosted by web servers). 1. A browser on a client requests a JSP or servlet from the web server, which passes the request to the servlet engine, our Tomcat. 2. The servlet engine checks if the request includes an ID for the Java session. a. If it doesnt , the servlet engine creates a unique ID for the session plus a session object that can be used to store the data for the session. 3. The web server uses the session ID generated to relate each browser to the session object, even though the server still drops the HTTP connection after returning each page. By default, the servlet API uses a cookie to store the session ID within the clients browser. This is an extension of the HTTP protocol. Then when the next request is made, this cookie is added to the request. However, if cookies have been disabled within a browser, this type of session tracking wont work. To get around this problem, the servlet API provides a way to rewrite the URL so it includes the session ID. This is known as URL encoding and it works even if cookies have been disabled within a browser.