1. ©SoftMooreSlide 1 Session Tracking with Servlets

2. ©SoftMooreSlide 2 Why session tracking? Problem: HTTP is a stateless protocol. –Each time a client requests a web page, the client opens a separate connection to the web server. –The server does not automatically maintain contextual information. –Problems exist even for servers that support persistent (keep-alive) HTTP connections. When a client adds an item to the shopping cart, how does the server know what’s already in cart? When a client proceeds to checkout, how can server determine which previously created cart is the one for this client?

3. ©SoftMooreSlide 3 Implementing Session Tracking Usually involves two maps –one for each client to associate session-specific information and objects (e.g., the client’s shopping cart) –a global map that associates session IDs with each session-specific map Alternatives –URL rewriting –Hidden form fields –Cookies Java servlets provide a high-level interface for session tracking that is built on top of cookies or ULR rewriting.

4. ©SoftMooreSlide 4 URL Rewriting Basic idea –client appends some extra data on the end of each URL that identifies the session –server associates that identifier with data it has stored about that session Example: http://host/path/file.html;jsessionid=1234 Advantage –works even if cookies are disabled or unsupported Disadvantages –must encode all URLs that refer to your own site –all pages must be dynamically generated –fails for bookmarks and links from other sites

5. ©SoftMooreSlide 5 Hidden Form Fields Basic idea Advantage –works even if cookies are disabled or unsupported Disadvantages –lots of tedious processing –all pages must be the result of form submissions –easily hacked

6. ©SoftMooreSlide 6 Cookies Basic idea: associate cookie with data on server Advantage –widely used and well-understood Disadvantages –lot’s of work to create/save/retrieve/extract cookies –client may not accept cookies

7. ©SoftMooreSlide 7 Session Tracking in Java Session objects live on the server and are automatically associated with client via cookies or URL-rewriting Use request.getSession() to get session –system looks at cookie or URL extra info and sees if it matches the key to some previously stored session object –if so, it returns that object –if not, it creates a new one, assigns a cookie or URL info as its key, and returns that new session object Map-like mechanism lets you store arbitrary objects inside a session object –setAttribute() stores name/value pair –getAttribute() retrieves values

8. ©SoftMooreSlide 8 Session Tracking in Java (continued) To discard session data –call removeAttribute() to discard a specific value –call invalidate() to discard an entire session For code that generates hypertext links for client back to serrver’s site –pass URL through response.encodeURL() –if server is using cookies, this returns URL unchanged –if server is using URL rewriting, this appends the session info to the URL Example String url = response.encodeURL("order-page.html");

9. ©SoftMooreSlide 9 Session Tracking in Java (continued) For code that does sendRedirect() to own site, pass URL through response.encodeRedirectURL() Additional code changes if server uses cookies versus URL rewriting? None!

10. Session Objects Live on the server One per client (not one per servlet) Identified by a session ID Preserved automatically even for browsers that don’t support cookies use cookies if possible; otherwise use URL rewriting. Expire after 30 minutes by default if no user interaction Automatically saved to disk if server goes down; automatically restored if server restarts (uses serialization) ©SoftMooreSlide 10

11. Session Tracking ©SoftMooreSlide 11 Browser 1234 sessionObj “person” personObj “items” itemObj Servlet Engine JSESSIONID=1234

12. Example: Session Tracking in Java HttpSession session = request.getSession(true); ShoppingCart cart = (ShoppingCart)session.getAttribute("shoppingCart"); if (cart == null) { cart = new ShoppingCart(...); session.setAttribute("shoppingCart", cart); }... // add items to shopping cart ©SoftMooreSlide 12 Do not call setAttribute() again after modifying the shopping cart if the modified cart is the same object, but for immutable objects in the session, you need to create a new object and call setAttribute() again.

13. Getting a Session Object Use the method getSession() in the request HttpServletRequest.getSession(boolean create) The boolean parameter create –true will create a new session if it does not exist returns the current HttpSession object associated with the request if one exists returns a new HttpSession object if one does not exist –false will not create a new session object returns the current HttpSession object associated with the request if one exists returns null if the request has no HttpSession object ©SoftMooreSlide 13

14. ©SoftMooreSlide 14 HttpSession Methods getAttribute(String name) –returns the object bound with the specified name in this session, or null if no such object getAttributeNames() –returns an Enumeration of the names of all objects bound to this session getCreationTime() –returns the time when this session was created getId() –returns the unique identifier assigned to this session

15. ©SoftMooreSlide 15 HttpSession Methods (continued) getLastAccessedTime() –returns last time client sent a request associated with this session getMaxInactiveInterval() –returns the maximum time interval that the servlet container will keep this session open between client accesses getServletContext() –returns the ServletContext to which this session belongs invalidate() –invalidates this session and unbinds any objects bound to it isNew() –returns true if the session is new to the client

16. ©SoftMooreSlide 16 HttpSession Methods (continued) removeAttribute(String name) –removes the object bound with the specified name from this session setAttribute(String name, Object value) –binds an object to this session using the name specified setMaxInactiveInterval(int interval) –specifies the time between client requests before the servlet container will invalidate this session