Session Tracking

Concepts

• Using basic session tracking
• Understanding the session-tracking API
• Differentiating between server and browser sessions
• Storing immutable objects vs. storing mutable objects
• Tracking user access counts

The Need for Session Tracking

• HTTP is a stateless protocol
• Session Tracking is adding state back to HTTP
• Session Tracking lets up keep track of user data as they navigate our web applications

Ways of Maintaining State

• Hidden Form Fields
  • Very early attempt to do session tracking.
  • All site navigation had to go through form submissions.
  • A session was lost if users clicked on regular links.
• URL Rewriting
  • Appends a session ID to the end of all URLs of a site dynamically.
  • Works well and the site does not lose track of user sessions.
  • Requires lots of server side coding.
• Cookies
  • Use a cookie to store a session ID in the browser.
  • This was the the best solution for a long time.
  • Users accept cookies now.
• Tokens
  • Set a custom response header that contains a generated token.
  • The token has information in it that identifies you.
  • The server can decode the token to see if you have a valid login.
  • JWT: JSON Web Tokens

Session Tracking in Servlets

• HttpSession is used for session tracking
• Very simple to code
• Very flexible and powerful

Session Tracking Basics

Access the current session object.

    HttpSession session = request.getSession();

Look up information associated with the session.

    session.getAttribute("attribute_name");

Store information in a session.

    session.setAttribute("attribute_name", <object>);

Remove session data.

session.removeAttribute("attribute_name");

Example: Sessions in JSP

• Sample JSP page – Setting an attribute in the session

Example: Sessions in Servlets

• Sample Servlet — Getting an attribute from the session
• Sample Servlet — getting and setting attributes in the session