Session Management

Nobody likes providing a username and password every time he moves to a different page. Consider that you are shopping online. You select a few things that you would like to have. You now navigate to another page containing a different set of items. Finally when you are done with selecting items, you find that none of the items that you selected were saved. The application was not able to maintain a “conversational state” with you.

The http protocol does not provide a way to maintain a conversational state between the client and the server. Therefore we need some technique to maintain a conversational state. There are many ways of maintaining a “conversational state” between the client and server. Let me list out the common ones –

• Hidden Fields
• URL Rewriting
• Cookies
• HttpSession

Among these the HttpSession belonging to the Servlet API is the most popular method. There are times when the HttpSession would not help you, for example you would like to save customers preferences over a period of time so that the next time he visits your page you can load his preferences, in this case it would be better to use the concept of Cookies. Anyways, in this little tutorial I would tell you how the server is able to maintain a conversational state using the HttpSession technique.

Consider a client sends a request to a servlet. The servlet realizes that it needs to save the state of the client until the client decides to leave the application. It now retrieves the HttpSession object using the request.getSession() method. At this point the container checks if a session has already been created for the client. If not it creates a new session for the client. That is it! Right? No! You need to know more of it. What do you ever mean by “a session is created”? Shouldn’t the container have some method to identify repeated requests from the same client? So it does.

The container creates a unique session id for the client which is generally named as the JSESSIONID. When the response is sent it appends the session id to the response header as a cookie –
Set-Cookie: JSESSIONID=FSDGSDG13213.
The session id can be anything. After this each time the client sends the request to the container, the container identifies the client using the JSESSIONID. Now what happens if cookies are disabled on the client side? Session would not be saved? I had the same question. But after implementing a simple servlet, with cookies disabled, I found that the session was still maintained. After a few google searches I found that the cookies are stored in the server memory and not on the client side. Now again you might have a question on the cookies that are stored for a longer period. Will the server keep it for such a long time? No, when you specify a maximum age for the cookie using the setMaxAge() method, the cookie is written into a file and saved on the client machine(provided cookies are enabled on the client browser).

How do you invalidate the session? Either you set the maximum age that it should live (setMaxAgeInterval() ), or you do it explicitly (session.invalidate()).
There is a lot more on session management that I found very interesting on the HFSJSP. And please take a look on how sessions should be handled if the cookies are disabled even on the server side (can you do it? Find out and tell me). Comments welcome!