CSCI 6962: Server-side Design and Programming Java Server Faces Scoping and Session Handling

Outline Session handling concepts Session scoping in managed beans – Creating a session bean – Information flow Session properties – Timeouts – Web.xml URL encoding

Sessions Session: Set of pages submitted by user to accomplish goal – Example: Most on-line shopping Add to cart Enter shipping information Enter payment information Reciept

Need for Session Handling Problem: No way to associate steps if multiple clients – Nothing built into the web allows server to know where a request is coming from – Server may have to simultaneously manage thousands of sessions ?

Session Handling Assign each new client unique ID at start of session. Pass ID to client as part of each response – Now client knows it as well – Stored as cookie by default Client passes ID back to server with subsequent requests – Server can associate this request can be associated with initial request. Server stores client data in table indexed by session ID Client Server initial request session ID created for client data associated with this client response including session ID further requests include more data + session ID session ID (stored as cookie)

Managed Bean Scoping Managed beans have scope – Set of pages that have access to the bean – “Period of time” for which Glassfish stores bean in memory Major types of scoping: – request: current page – session: all pages for single user (over given time) – application: all pages for all users

Creating Session Beans Scoping set at bean creation in NetBeans Choose session scope

Session Creation When user first requests page – Create any new session beans used by page – Create unique JSessionID for this user – Associate beans with that JSessionID – Bean state then stored as string between access Request for JSF page (initial form request) J JSF J Bean JSessionID Serialized form of bean

Browser Passing Session to Client SessionID passed to client along with requested page – By default, stored in client-side cookie J html JSessionID J JSF J Bean JSessionID Cookies

Passing Session to Server At page submission, sessionID passed as part of request – Cookies associated with page automatically passed Browser J html JSessionID J Bean JSessionID Cookies

Retrieving Session Glassfish looks up session beans with matching ID Form data loaded into that bean set methods Form values Browser J html JSessionID J Bean JSessionID Cookies

Session Handling in JSP Sessions can be accessed from both servlet and JSP – Servlet: Construct a new session object from the request HttpSession session = request.getSession(); – JSP: Just use built-in session object which Tomcat creates from request (like request object) Server session ID created for client data associated with this client Servlet Construct session object JSP Use session object request : form data + session ID

Session Timeouts Sessions time out after specific period of inactivity – Inactivity = session bean not requested by any page – Goal: efficiency, security – If session expired, access creates new bean (with default values instead of previous values) Session timeout property of web.xml file

Sessions and Cookies Default: JSessionID stored in cookie in client-side browser What if user disables cookies?

URL Encoding Pass session ID to the client as part of every response Insure that client sends that session ID back to the server as part of every request Browser J html JSessionID J JSF J Bean JSessionID set Form values

URL Encoding JSessionID now passed in url

URL Encoding URL encoding done automatically in JSF if cookies not enabled Can control whether URL encoding done using tracking-mode tag in web.xml – Not currently supported in NetBeans