What is Session Tracking?
There are a number of problems that arise from the fact that HTTP
is a "stateless" protocol. In particular, when you are doing
on-line shopping, it is a real annoyance that the Web server can't
easily remember previous transactions. This makes applications like shopping carts
very problematic: when you add an entry to your cart, how does the
server know what's already in your cart? Even if servers did retain
contextual information, you'd still have problems with e-commerce.
When you move from the page where you specify what you want to buy
(hosted on the regular Web server) to the page that takes
your credit card number and shipping address (hosted on the secure server
that uses SSL), how does the server remember what you were buying?
There are three typical solutions to this problem.
- Cookies. You can use HTTP
cookies to store information about a shopping session, and each
subsequent connection can look up the current session and then
extract information about that session from some location on
the server machine. This is an excellent alternative, and is
the most widely used approach. However, even though servlets
have a high-level and
easy-to-use interface to cookies, there are still a number of
relatively tedious details that need to be handled:
- Extracting the cookie that stores the session identifier
from the other cookies (there may be many, after all),
- Setting an appropriate expiration time for the cookie
(sessions interrupted by 24 hours probably should be reset), and
- Associating information on the server with the session identifier
(there may be far too much information to actually store it in the cookie,
plus sensitive data like credit card numbers should never go in cookies).
- URL Rewriting. You can append some extra data on the end of
each URL that identifies the session, and the server can associate that
session identifier with data it has stored about that session. This is
also an excellent solution, and even has the advantage that it works
with browsers that don't support cookies or where the user has disabled
cookies. However, it has most of the same problems as cookies, namely that
the server-side program has a lot of straightforward but tedious processing
to do. In addition, you have to be very careful that every URL returned
to the user (even via indirect means like
Location fields in server
redirects) has the extra information appended. And, if the user leaves the
session and comes back via a bookmark or link, the session information can
be lost.
- Hidden form fields. HTML forms have an entry that
looks like the following:
<INPUT TYPE="HIDDEN" NAME="session" VALUE="...">.
This means that, when the form is submitted, the specified name and value
are included in the GET or POST data. This can be used to store information
about the session. However, it has the major disadvantage that it only works
if every page is dynamically generated, since the whole point is that each
session has a unique identifier.
Servlets provide an outstanding technical solution: the HttpSession API.
This is a high-level interface built on top of cookies or URL-rewriting.
In fact, on many servers, they use cookies if the browser supports them,
but automatically revert to URL-rewriting when cookies are unsupported
or explicitly disabled. But the servlet author doesn't need to bother
with many of the details, doesn't have to explicitly manipulate cookies
or information appended to the URL, and is automatically given a convenient
place to store data that is associated with each session.
NEXT
This tutorial is now available as a book: Core Servlets and JavaServer Pages by Marty Hall, published by Sun Microsystems Press.
Read all about it at CoreServlets.com
Server-Side Web Applications using Java Servlets versions 2.1/2.2 and JavaServer Pages (JSP) version 1.0: A Tutorial
© 1999-2000 Marty Hall.
All source code freely available for unrestricted use.
Created for work in the Research and Technology Development Center of the Johns Hopkins University Applied Physics Lab, for courses in the Johns Hopkins Part-Time MS Program in Computer Science, and for various industry seminars and on-site Java short courses.
Please note that this is a first draft of the tutorial, so please send corrections, comments, and suggestions to me at hall@apl.jhu.edu.
Reprinted with permission from the author. Click here to visit the original version
New on the Java Boutique:
New Review:
Time Management Made Easy with the Quartz Enterprise Job Scheduler
Why not just use the Java timer API? This open source scheduling
API boasts simplicity, ease-of-integration, a well-rounded feature
set, and it's free!
New Applet:
Reverse Complement
Reverse Complement is a simple applet that converts DNA or RNA
sequences into three useful formats.
Elsewhere on internet.com:
WebDeveloper Java
Lots of Java information on webdeveloper.com
WDVL Java
Thorough Java resource at the Web Developer's Virtual Library.
ScriptSearch Java
Hundreds of free Java code files to download.
jGuru: Your View of the Java Universe
Customizable portal with online training, FAQs, regular news updates, and tutorials.
