Cookie vs session
• A cookie is a small piece of text stored
on a user's computer by their browser.
Common uses for cookies are
authentication, storing of site
preferences, shopping cart items, and
server session identification.
• Each time the users' web browser
interacts with a web server it will pass
the cookie information to the web
server. Only the cookies stored by the
browser that relate to the domain in
the requested URL will be sent to the
server. This means that cookies that
relate to www.example.com will not be
sent to www.exampledomain.com.
• In essence, a cookie is a great way of
linking one page to the next for a user's
interaction with a web site or web
• A session can be defined as a server-
side storage of information that is
desired to persist throughout the
user's interaction with the web site or
• Instead of storing large and constantly
changing information via cookies in
the user's browser, only a unique
identifier is stored on the client side
(called a "session id"). This session id
is passed to the web server every time
the browser makes an HTTP request
(ie a page link or AJAX request). The
web application pairs this session id
with it's internal database and
retrieves the stored variables for use
by the requested page.
• By default, each request is
considered as a new request.
• In cookies technique, we add cookie
with response from the servlet. So
cookie is stored in the cache of the
• After that if request is sent by the
user, cookie is added with request by
• Thus, we recognize the user as the
• For Example:
• Flipkart uses session to maintain
thedetails of various products
selected by its customers, which
is called cart.
• Session Tracking is a way to
maintain state (data) of an user. It
is also known as session
management in servlet.
Cookies in servlets
• A cookie is a small piece of information that is persisted between the
multiple client requests.
• Advantage of Cookies
• Simplest technique of maintaining the state.
• Cookies are maintained at client side.
• Disadvantage of Cookies
• It will not work if cookie is disabled from the browser.
• Only textual information can be set in Cookie object.
• Gmail uses cookie technique for login. If you disable the cookie, gmail
• Servlet API provides Session management through HttpSession interface.
We can get session from HttpServletRequest object using following
methods. HttpSession allows us to set objects as attributes that can be
retrieved in future requests.
• HttpSession getSession() – This method always returns a HttpSession
object. It returns the session object attached with the request, if the
request has no session attached, then it creates a new session and return
• HttpSession getSession(boolean flag) – This method returns HttpSession
object if request has session else it returns null.
• Some of the important methods of HttpSession are:
• String getId() – Returns a string containing the unique identifier assigned to this
• Object getAttribute(String name) – Returns the object bound with the specified
name in this session, or null if no object is bound under the name. Some other
methods to work with Session attributes
are getAttributeNames(), removeAttribute(String name) and setAttribute(String
name, Object value).
• long getCreationTime() – Returns the time when this session was created, measured
in milliseconds since midnight January 1, 1970 GMT. We can get last accessed time
with getLastAccessedTime() method.
• setMaxInactiveInterval(int interval) – Specifies the time, in seconds, between client
requests before the servlet container will invalidate this session. We can get session
timeout value from getMaxInactiveInterval() method.
• ServletContext getServletContext() – Returns ServletContext object for the
• boolean isNew() – Returns true if the client does not yet know about the session or if
the client chooses not to join the session.
• void invalidate() – Invalidates this session then unbinds any objects bound to it.