Web Application Development * These slides have been adapted and modified from CoreServlets course material (Marty Hall) and LUMS cs391 (Umair Javed).

 HTTP is a stateless protocol  Every request is considered independent of every other request  Many web applications need to maintain a conversational state with the client  A shopping cart is a classic example

 Example Conversations  When clients at on-line store add item to their shopping cart, how does server know what’s already in cart?  When clients decide to proceed to checkout, how can server determine which previously created cart is theirs?

 Server Side?  Makes Server Really Complicated  State per client!  Client Side?

 Server puts little notes on the client side  When client submits the next form, it also (unknowingly) submits these little notes  Server reads the notes, remembers who the client is

Credit: Programming the World Wide Web Book by Sebesta

 Cookies  Advantages ▪ Cookies do not require any server resources since they are stored on the client. ▪ Cookies are easy to implement. ▪ You can configure cookies to expire when the browser session ends (session cookies) or they can exist for a specified length of time on the client computer (persistent cookies).  Disadvantages ▪ Users can delete cookies. ▪ Users browser can refuse cookies, so your code has to anticipate that possibility.

 URL Rewriting  Advantage ▪ Works even if cookies are disabled or unsupported  Disadvantages ▪ Lots of tedious processing ▪ Must encode all URLs that refer to your own site ▪ Links from other sites and bookmarks can fail

 For example, the following URLs have been rewritten to pass the session id 123  Original  Extra path information  Added parameter  Custom change

 Hidden Fields  Advantage ▪ Works even if cookies are disabled or unsupported  Disadvantages ▪ Lots of tedious processing ▪ All pages must be the result of form submissions



 Session objects live on the server  Automatically associated with client via cookies or URL-rewriting  Checks for a cookie or URL extra info

1.To get the user’s session object  Call getSession( ) method of HTTPServletRequest class  pass false to the getSession() method HttpSession ses = request.getSession(false);  If no current session exists: ▪ You will get a null object

1.To get the user’s session object (cont.)  If true is passed to the getSession() method then  If user already has a session ▪ the existing session is returned  For example: HttpSession ses = request.getSession(true);  If no session exists ▪ a new one is created and returned

2. Storing information in a session  Session objects works like a HashMap ▪ HashMap is able to store any type of java object  You can therefore store any number of keys and their values  For example ses.setAttribute(“id”, “123”); keyValue

3. Looking up information associated with a session String sID = (String)ses.getAttribute(“id”); returns an Object type, so you will need to perform a type cast

4. Terminating session  Automatic ▪ After the amount of time session gets terminated automatically( getMaxInactiveInterval( ) )  Manual ses.invalidate();

 HttpServletResponse provides two methods to perform encoding 1. String encodeURL(String URL) 2. String encodeRedirectURL(String URL)  If Cookies disabled  Both methods encodes (rewrites) the specified URL to include the session ID and returns the new URL  If Cookies enabled  Returns the URL unchanged

1. String encodeURL(String URL)  For example String URL = “/servlet/sessiontracker”; String eURL = response.encodeURL(URL); out. println("... ");

2. String encodeRedirectURL(String URL)  For example String URL = “/servlet/sessiontracker”; String eURL = response.encodeRedirectURL(URL); response.sendRedirect(eURL);

Amazon Servlet Container Session ID = 123XYZ Shopping Cart sc [item 1=324] Request Credit: cs193i at Standford

Amazon Servlet Container Session ID = 123XYZ Shopping Cart sc [item 1=324] Response: Set-Cookie: sid=123XYZ Credit: cs193i at Standford

Amazon Servlet Container Session ID = 123XYZ Shopping Cart sc [item 1=324] Request: Set-Cookie: sid=123XYZ Credit: cs193i at Standford

Amazon Servlet Container Session ID = 123XYZ Shopping Cart sc [item 1=324 item 2=115] Request: Set-Cookie: sid=123XYZ Credit: cs193i at Standford

 getAttribute (getValue in old servlet spec 2.1)  Extracts a previously stored value from a session object. Returns null if no value is associated with given name.  setAttribute (putValue in ver. 2.1)  Associates a value with a name. Monitor changes: values implement HttpSessionBindingListener.  removeAttribute (removeValue in ver. 2.1)  Removes values associated with name.

 getCreationTime  Returns time at which session was first created  getLastAccessedTime  Returns time at which session was last sent from client  getMaxInactiveInterval, setMaxInactiveInterval  Gets or sets the amount of time session should go without access before being invalidated  invalidate  Invalidates the session and unbinds all objects associated with it

 Although it usually uses cookies behind the scenes, the session tracking API is higher-level and easier to use than the cookie API  If server supports URL-rewriting, your code unchanged  Session information lives on server  Cookie or extra URL info associates it with a user  Obtaining session  request.getSession(true)  Associating values with keys  session.setAttribute (or session.putValue)  Finding values associated with keys  session.getAttribute (or session.getValue) ▪ Always check if this value is null