Best option for Session management in Java

by

The session management (client identification, cookie handling, saving session scoped data and so on) is basically already done by the appserver itself. You don’t need to worry about it at all. You can just set/get Java objects in the session by HttpSession#setAttribute() and #getAttribute(). Only thing what you really need to take care of is the URL rewriting for the case that the client doesn’t support cookies. It will then append a jsessionid identifier to the URL. In the JSP you can use the JSTL’s c:url for this. In the Servlet you can use HttpServletResponse#encodeURL() for this. This way the server can identify the client by reading the new request URL.

Your new question shall probably be “But how are cookies related to this? How does the server do it all?”. Well, the answer is this: if the server receives a request from a client and the server side code (your code) is trying to get the HttpSession by HttpServletRequest#getSession() while there’s no one created yet (first request in a fresh session), the server will create a new one itself. The server will generate a long, unique and hard-to-guess ID (the one which you can get by HttpSession#getId()) and set this ID as a value of the cookie with the name jsessionid. Under the hood the server uses HttpServletResponse#addCookie() for this. Finally the server will store all sessions in some kind of Map with the session ID as key and the HttpSession as value.

According to the HTTP cookie spec the client is required to send the same cookies back in the headers of the subsequent request. Under the hood the server will search for the jsessionid cookie by HttpServletRequest#getCookies() and determine its value. This way the server is able to obtain the associated HttpSession and give it back by every call on HttpServletRequest#getSession().

To the point: the only thing which is stored in the client side is the session ID (in flavor of a cookie) and the HttpSession object (including all of its attributes) is stored in the server side (in Java’s memory). You don’t need to worry about session management youself and you also don’t need to worry about the security.

See also:

More Related Contents:

  1. How do you remove a Cookie in a Java Servlet
  2. How do I keep a user logged into my site for months?
  3. Sharing session data between contexts in Tomcat
  4. Session is lost and created as new in every servlet request
  5. Retrieving servlet context, session and request in a POJO outside container
  6. SessionTimeout: web.xml vs session.maxInactiveInterval()
  7. sending variable from one jsp to another jsp
  8. Sending POST request with username and password and save session cookie
  9. Is there a url rewriting engine for Tomcat/Java?
  10. Managing webapp session data/controller flow for multiple tabs
  11. How to set session timeout dynamically in Java web applications?
  12. Is synchronization within an HttpSession feasible?
  13. How can I manually load a Java session using a JSESSIONID?
  14. Find number of active sessions created from a given client IP
  15. HttpServletRequest get JSON POST data [duplicate]
  16. Servlet vs Filter
  17. Is it possible to disable jsessionid in tomcat servlet?
  18. How to read request.getInputStream() multiple times
  19. Multiple submit buttons in the same form calling different Servlets
  20. How to invoke a servlet without mapping in web.xml?
  21. Different ways to get Servlet Context
  22. Correct usage of Stateful Beans with Servlets
  23. How to Reuse HttpUrlConnection? [duplicate]
  24. Displaying pdf in jsp
  25. HttpServletResponse sendRedirect permanent
  26. Prevent multiple login using the same user name and password
  27. How can I know if the request to the servlet was executed using HTTP or HTTPS?
  28. How to store a file on a server(web container) through a Java EE web application?
  29. Tomcat VS Jetty [closed]
  30. Create and download CSV file in a Java servlet

Leave a Comment