Session tracking maintains the state of users between HTTP requests in servlets. Common techniques include cookies, hidden form fields, URL rewriting, and HTTP sessions. Cookies store data on the client side in the browser cache while HTTP sessions store data on the server side. Cookies have limitations on size and security while sessions can store unlimited data securely on the server but end when the browser closes. Both techniques allow servlets to identify returning users and maintain state across requests.

1. Session And Cookies
In Servlets

2. Table of Contents
1. Servlets
2. The Problem with HTTP
3. Session Tracking in Servlet
4. Cookies
5. Hidden Form Field
6. URL Rewriting
7. HttpSession
8. Session v/s Cookies

3. What are Servlets anyway?
� Java program that runs on servers.
� Capable of Handling Requests and generating Dynamic Response.

4. The PROBLEM with HTTP
� HTTP is used as Protocol to transfer data and
information between Client and Server.
� HTTP (Hypertext Transfer Protocol) is STATELESS.
� Client - Server Architecture : A Client requests a
Server and the Server responses a dynamic page
(HTML) when a Servlet processes the requests.
� Server treats every request as a new request as the
state (data) of the user is not saved / maintained.
� Server won’t remember anything from the first
request and does the same task for the new request
even if the user is same as the previous one.

5. Analogy : The University Admission (Stateless)

6. Without Session - Stateless Management

7. Live Demonstration

8. Session Tracking in Servlet
● Session Tracking is a way to maintain state (data) of an user.
● It is also known as State Management.
Techniques :
1. Cookies
2. Hidden Form Field
3. URL Rewriting
4. HttpSession

9. Cookies

10. What are Cookies anyway?
� Small piece of textual information stored in Key-Value pair in Client’s
Browser.
� Cookie is stored in browser’s cache.

11. How Does Cookie Work?

12. 1. User Signs Up. Client
posts a HTTP request to the
server containing username
and password.
2. Server receives this
request and hashes the
password before storing into
database.

13. 3. Client logs in. Provides
username and password
and again a HTTP request
is posted to server.
4. Server looks up the
username in the database,
hashes the supplied login
password, and compares it
to the previously hashed
password in the database.

14. 5. If the credentials are
correct, server creates an
Access Token, which uniquely
identifies the user’s session.
6. We then store the access
token in the database
associated with that user.

15. 7. Attach the access token
with a Cookie returned to
client. Now the Cookie has
been returned to client and
client stores the cookie in
browser.

16. 8. On client side now, we
are logged in. Every time
now a client makes a
request for a page that
requires authorization (i.e.
they need to be logged in),
the server obtains the
access token from the
cookie and checks it
against the one in the
database associated with
that user. If it checks out,
access is granted.

17. Live Demonstration

18. Hidden Form Field

19. How does Hidden Form Field Works?
� A hidden text field is used for maintaining state of an user.
� We have form in all pages that can be submitted and we can pass user’s data
in an hidden field.
� Does not have to be dependent on browser.
� Works, even if the cookies are disabled.
� Extra Form Submission is required to maintain state.
� Not Ideal.

20. Live Demonstration

21. URL Rewriting

22. How does URL Rewriting Works?
� We append a query string or token to the URL of the next servlet or the next
page.
� It will be a name - value pair.
� If multiple data has to be sent then it will be separated by ampersand(&).
� Works even if the cookies are disabled.
� No extra form submission.
� Works with links or hyperlinks.

23. Live Demonstration

24. HttpSession

25. How does HttpSession Works?
� Session simply means small interval of time.
� Used for state management.
� When a client requests a server for the first time, the server creates a Session
ID, and stores it with some key value pair like client’s name, email, photo, etc.
� When the client again requests to the server, the server checks the session, if
not expired or destroyed, and allows the client to do tasks, without getting to
logged in again.
� Session expires in three cases:
1. Closing the Browser
2. Time expired
3. Invalidate

27. Live Demonstration

28. between
Cookies and Session

29. Session
� Stores variables in temporary directory in
server.
� Ends when user logout’s or browser closes.
� Stores unlimited amount of data.
� A script can use maximum 128 MB.
� “req.getSession(true)” to create a new
session. “req.getSession(false)” to get the
already set session.
� “session.setAttribute(key, value)” to set
session values.
� “session.invalidate()” or
“session.setMaxInactiveInterval(seconds)
” to destroy session.
� Sessions are more secured as they are
stored in server and encrypted form.
Cookies
� Stores in Client’s (browser).
� Ends on the lifetime set by user.
� Stores limited data.
� Maximum size of Browser’s cookies is 4 KB.
� “new Cookie(key, value)” to create a new
cookie.
� “resp.addCookie(c)” to add the cookie in
the response.
� “c.setMaxAge(seconds)” to set the expiry
time of cookie.
� Cookies are not secured as data is in textual
format and it gets stored in client machine.