CS320 Web and Internet Programming Cookies and Session Tracking

Slides:



Advertisements
Similar presentations
7 Copyright © 2005, Oracle. All rights reserved. Maintaining State in J2EE Applications.
Advertisements

Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.
CS320 Web and Internet Programming Handling HTTP Requests Chengyu Sun California State University, Los Angeles.
CS320 Web and Internet Programming Generating HTTP Responses
Servlet Session Tracking. 2 Persistent information A server site typically needs to maintain two kinds of persistent (remembered) information: Information.
Web technologies and programming cse hypermedia and multimedia technology Fanis Tsandilas April 3, 2007.
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.
CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.
Chapter 5 HTTP Request Headers. Content 1.Request headers 2.Reading Request Headers 3.Making a Table of All Request Headers 4.Sending Compressed Web Pages.
CS320 Web and Internet Programming Handling HTTP Requests Chengyu Sun California State University, Los Angeles.
Session tracking There are a number of problems that arise from the fact that HTTP is a "stateless" protocol. In particular, when you are doing on- line.
Session Tracking - 2 Lec 32. Last Lecture Review  Session Tracking – why?  Need to store state – typical solutions Cookies – already learned URL Rewriting.
1 Maryland ColdFusion User Group Session Management December 2001 Michael Schuler
Web Application Development * These slides have been adapted and modified from CoreServlets course material (Marty Hall) and LUMS cs391 (Umair Javed).
Chapter 6 Server-side Programming: Java Servlets
Chapter 9 Session Tracking. Session Tracking Basics Accessing the session object associated with the current request: Call request.getSession to get an.
® IBM Software Group © 2007 IBM Corporation Best Practices for Session Management
Web Database Programming Week 7 Session Management & Authentication.
CSCI 6962: Server-side Design and Programming Java Server Faces Scoping and Session Handling.
CSI 3125, Preliminaries, page 1 SERVLET. CSI 3125, Preliminaries, page 2 SERVLET A servlet is a server-side software program, Responds oriented other.
1 State and Session Management HTTP is a stateless protocol – it has no memory of prior connections and cannot distinguish one request from another. The.
©SoftMooreSlide 1 Session Tracking with Servlets.
CSC 2720 Building Web Applications Managing Users' States – Cookies, URL-Rewriting, Hidden Fields and Session Management APIs.
Servlets 4 Lec 30 Web Design and Development. Looking Back… Response Redirection  Sending a standard redirect  Sending a redirect to an error page Request.
HTTP protocol Java Servlets. HTTP protocol Web system communicates with end-user via HTTP protocol HTTP protocol methods: GET, POST, HEAD, PUT, OPTIONS,
Session Tracking Parts of this presentation was provided by SSE.
8-Mar-16 More About Servlets Session Tracking. Persistent information A server site typically needs to maintain two kinds of persistent (remembered) information:
Net-centric Computing Servlets & JSP. Lecture Outline  Tracking Sessions  Cookies  Examples  JSP  Differences between JSP and Servlets  JSP Constructs.
Distributed Web Systems Cookies and Session Tracking Lecturer Department University.
File Uploads and Cookies Pat Morin COMP Outline File upload Cookies.
What’s Really Happening
CS320 Web and Internet Programming Handling HTTP Requests Chengyu Sun California State University, Los Angeles.
Servlets: HTTP Request Header Contents and Responses
Cookies Tutorial Cavisson Systems Inc..
Building Web Apps with Servlets
Web Basics: HTML and HTTP
CS320 Web and Internet Programming Generating HTTP Responses
HTTP – An overview.
The Hypertext Transfer Protocol
How does it work ?.
Servlet Sessions and Cookies
1993 version of Mosaic browser.
Sessions Many interactive Web sites spread user data entry out over several pages: Ex: add items to cart, enter shipping information, enter billing information.
Java Servlets.
CS3220 Web and Internet Programming Generating HTTP Responses
Chapter 6 Server-side Programming: Java Servlets
Client / Session Identification Cookies
HTTP Protocol.
Sessions.
Uniform Resource Locators
What is Cookie? Cookie is small information stored in text file on user’s hard drive by web server. This information is later used by web browser to retrieve.
Servlet Session Tracking
Client / Session Identification Cookies
HTTP Request Method URL Protocol Version GET /index.html HTTP/1.1
HTTP -02-.
Servlet APIs Every servlet must implement javax.servlet.Servlet interface Most servlets implement the interface by extending one of these classes javax.servlet.GenericServlet.
Uniform Resource Locators (URLs)
CS3220 Web and Internet Programming Cookies and Session Tracking
Hypertext Transfer Protocol
Session Tracking Techniques
Sessions Many interactive Web sites spread user data entry out over several pages: Ex: add items to cart, enter shipping information, enter billing information.
CS3220 Web and Internet Programming Handling HTTP Requests
Kevin Harville Source: Webmaster in a Nutshell, O'Rielly Books
Uniform Resource Locators
PHP State.
CS3220 Web and Internet Programming Cookies and Session Tracking
CS5220 Advanced Topics in Web Programming Secure REST API
Uniform Resource Locators (URLs)
CSCI-351 Data communication and Networks
Servlet Session Tracking: Session API
Presentation transcript:

CS320 Web and Internet Programming Cookies and Session Tracking Chengyu Sun California State University, Los Angeles

Session Tracking The Need The Difficulty The Trick? shopping cart, personalization, ... The Difficulty HTTP is a “stateless” protocol Even persistent connections only last seconds The Trick?

General Idea client server request response + session id (sid) request + sid request + sid request + sid request + sid

Three Ways to Implement Session Tracking URL Re-writing E.g. http://csns.calstatela.edu/index.html;jsessionid=748D9512C9B19B0DCC9477696A88CF12 Hidden form fields Cookies

Cookies Set by the server as a response header Set-Cookie Added to each subsequent request by the browser as a request header Cookie

HTTP Response Example HTTP/1.1 200 OK Date: Mon, 11 Apr 2011 16:53:26 GMT Set-Cookie: JSESSIONID=7E3019D5D76D41E0B42FC1410B0A; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 2208 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html><head><title>CSNS</title></head> … …

HTTP Request Example GET /img/style/title_bg.gif HTTP/1.1 Host: csns.calstatela.edu User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:2.0) Firefox/4.0 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Cookie: JSESSIONID=7E3019D5D76D41E0B42FC1410B0A

Cookie Attributes Name, Value Host/Domain, Path Controls whether the cookie should be included in a request Require secure connection Max age Comment

Servlet Cookie API Cookie HttpServletResponse HttpServletRequest http://download.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html HttpServletResponse addCookie( Cookie ) HttpServletRequest Cookie[] getCookies()

Example: GuestBook with Cookie Use a cookie to store name so a user only needs to enter their name once

Cookie or No Cookie? Is cookie a potential security problem? Virus? DoS? How about privacy? Cookie manager in Firefox Internet Options in IE

Problems with Cookies Cookies have size limit Malicious users can fake cookie data Sometimes cookie is disabled in browser Cookie API is somewhat tedious to use

Servlet Session Tracking API HttpServletRequest HttpSession getSession() HttpSession http://download.oracle.com/javaee/6/api/javax/servlet/http/HttpSession.html setAttribute( String, Object ) getAttribute( String ) invalidate()

About Session Tracking API Data is stored on the server, i.e. no size limit Each session is assigned a unique session id, which is used to access data associated with the session Session id is randomly generated and hard to fake Session tracking use cookie by default, but can automatically switch to URL rewriting if cookie is disabled

Example: GuestBook Using Session Tracking API Session is shared among servlets Servlet context attributes (a.k.a. application scope variables) vs. session attributes (a.k.a. session scope variables) Similarities?? Differences?? Usage??

Example: Login and Members … Username: Members Only! Password: Login Members

… Example: Login and Members Validate username and password Failed: redirect to error page Succeeded: set a session attribute “username”, and redirect to Members Members Check session attribute “username” null: redirect to Login otherwise display content

Session Configuration in web.xml Default session timeout in Tomcat is 30 minutes Session timeout can be changed in web.xml The timeout value must be an integer Session never timeout if value <= 0 <session-config> <session-timeout>60</session-timeout> </session-config>

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.