The document covers session management in Java EE applications using servlets, focusing on techniques such as cookies, hidden fields, URL rewriting, and the HttpSession object. It explains the significance of maintaining sessions in a stateless HTTP protocol and discusses practical implementations and advantages/disadvantages of each session tracking method. Additionally, it provides a demo of using HttpSession for managing user sessions and outlines topics for the next training session.

1. Java & JEE Training
Session 33 – Session Management using Servlets
Hidden fields, URL rewriting, HTTPSession

2. Page 1Classification: Restricted
Agenda
• Session Management
• Servlets
• Hidden fields
• URL rewriting
• HTTPSession

3. Page 2Classification: Restricted
Quick review of previous session…
….

4. Page 3Classification: Restricted
Web Server and Application Server
Presentation Tier:
JSP, Servlets
Run on Web Server
or container
JDBC on web server
or app server
Database
Client:
HTML JS CSS
(Run on client
machine on the
browser)

5. Page 4Classification: Restricted
Parameters and Attributes
How to store
data in web
apps…
Parameters
(Read Only)
Request
Params Init Params
ServletConfig
(Per Servlet)
ServletContext
(Per
Application)
Attributes
(Read-Write)
Request
Session
Application
Page (JSP
only)
request.getParameter()
getServletConfig().getServletContext().getParameter()
getServletConfig().getParameter()
request.getAttribute()
request.setAttribute()
session =
request.getSession();
session.getAttribute()
session.setAttribute()
context =
request.getServletCon
text();
context.getAttribute()
context.setAttribute()

6. Page 5Classification: Restricted
Web.xml file: Servlet mapping to URL

7. Page 6Classification: Restricted
HTTP IS A STATELESS PROTOCOL
CLIENT SERVER
LOGIN ID AND
PASSWORD
LOGIN SUCCESSFUL
SHOW MY ACCOUNT
DETAILS
I DON’T KNOW YOU.
PLEASE LOGIN…
HOW DO I MAINTAIN
SESSIONS?
SESSION – SEQUENCE
OF RELATED
REQUESTS COMING
IN FROM THE CLIENT
SERVER SHARES AN
“ID” WITH THE CLIENT
TO REMEMBER THE
SESSION
EVERY REQUEST
IS DIFFERENT, A
NEW REQUEST

8. Page 7Classification: Restricted
HTTP IS A STATELESS PROTOCOL
CLIENT SERVER
LOGIN ID AND
PASSWORD
LOGIN SUCCESSFUL
SESSION ID = 1234
SHOW MY ACCOUNT
DETAILS; MY SESSION
ID = 1234
AHHH… I REMEMBER
YOU.
YOUR ACCOUNT
DETAILS ARE HERE…
HOW DO I MAINTAIN
SESSIONS?
SESSION – SEQUENCE
OF RELATED
REQUESTS COMING
IN FROM THE CLIENT
SERVER SHARES AN ID
WITH THE CLIENT TO
REMEMBER THE
SESSION

9. Page 8Classification: Restricted
Why track sessions?
• HTTP is stateless protocol
• So we need to maintain state across multiple requests of a session using
session tracking techniques.
• Session tracking techniques:
• Cookies – key-value pair is stored on the browser… used for
maintaining session information. Cookies are used (read and written)
by the server
• Hidden Form Field
• URL Rewriting
• HttpSession

10. Page 9Classification: Restricted
Demo of using cookies for session management…
• Student should be able to login by providing username and password.
• Once he logs in, he should be able to view more information about himself
viz. course, college, score.
• Logout.

11. Page 10Classification: Restricted
Hidden form fields…
• A web server can send a hidden HTML form field along with a unique
session ID as follows:
• <input type="hidden" name="sessionid" value="12345">
• This entry means that, when the form is submitted, the specified name and
value are automatically included in the GET or POST data. Each time when
web browser sends request back, then session_id value can be used to
keep the track of different web browsers.
• Advantage of Hidden Form Field
• It will always work whether cookie is disabled or not.
• Disadvantage of Hidden Form Field:
• It is maintained at server side.
• Extra form submission is required on each pages.
• Only textual information can be used.

12. Page 11Classification: Restricted
URL Rewriting
• You can append some extra data on the end of each URL that identifies the session,
and the server can associate that session identifier with data it has stored about
that session.
• For example, with http://mycompany.com/file.htm;sessionid=12345, the session
identifier is attached as sessionid=12345 which can be accessed at the web server
to identify the client.
• URL rewriting is a better way to maintain sessions and works for the browsers when
they don't support cookies but here drawback is that you would have generate
every URL dynamically to assign a session ID though page is simple static HTML
page.
• Advantage of URL Rewriting
• It will always work whether cookie is disabled or not (browser independent).
• Extra form submission is not required on each pages.
• Disadvantage of URL Rewriting
• It will work only with links.
• It can send Only textual information.

13. Page 12Classification: Restricted
Using HttpSession
• HttpSession object is used to store entire session with a specific client. We
can store, retrieve and remove attribute from HttpSession object. Any
servlet can have access to HttpSession object throughout the getSession()
method of the HttpServletRequest object.

14. Page 13Classification: Restricted
Important HttpSession Methods
Methods Description
long getCreationTime() returns the time when the session was
created, measured in milliseconds since
midnight January 1, 1970 GMT.
String getId() returns a string containing the unique
identifier assigned to the session.
long getLastAccessedTime() returns the last time the client sent a
request associated with the session
int getMaxInactiveInterval() returns the maximum time interval, in
seconds.
void invalidate() destroy the session
boolean isNew() returns true if the session is new else false
void setMaxInactiveInterval(int interval) Specifies the time, in seconds,after servlet
container will invalidate the session.

15. Page 14Classification: Restricted
HttpSession usage

16. Page 15Classification: Restricted
Session attributes maintained separately for
each client session
CLIENT SERVER
JSESSIONID
= 12345
JSESSIONID=12345:
ATTRIBUTE1,ATTRIBUTE
2…
CLIENT 2
JSESSIONID
= 45678
JSESSIONID=45678:
ATTRIBUTE1,ATTRIBUTE
2…

17. Page 16Classification: Restricted
HttpSession Demo
• Demo
• Write a login / logout application using HttpSession

18. Page 17Classification: Restricted
Topics to be covered in next session
• Deployment Descripter
• Configuring and Mapping a Servlet
• The flow of the demo web apps
• JDBC Best practices
• Design Patterns

19. Page 18Classification: Restricted
Thank you!