Best option for Session management in Java

java session servlets cookies url-rewriting
64,742

Solution 1

The session management (client identification, cookie handling, saving session scoped data and so on) is basically already done by the appserver itself. You don't need to worry about it at all. You can just set/get Java objects in the session by HttpSession#setAttribute() and #getAttribute(). Only thing what you really need to take care of is the URL rewriting for the case that the client doesn't support cookies. It will then append a jsessionid identifier to the URL. In the JSP you can use the JSTL's c:url for this. In the Servlet you can use HttpServletResponse#encodeURL() for this. This way the server can identify the client by reading the new request URL.

Your new question shall probably be "But how are cookies related to this? How does the server do it all?". Well, the answer is this: if the server receives a request from a client and the server side code (your code) is trying to get the HttpSession by HttpServletRequest#getSession() while there's no one created yet (first request in a fresh session), the server will create a new one itself. The server will generate a long, unique and hard-to-guess ID (the one which you can get by HttpSession#getId()) and set this ID as a value of the cookie with the name jsessionid. Under the hood the server uses HttpServletResponse#addCookie() for this. Finally the server will store all sessions in some kind of Map with the session ID as key and the HttpSession as value.

According to the HTTP cookie spec the client is required to send the same cookies back in the headers of the subsequent request. Under the hood the server will search for the jsessionid cookie by HttpServletRequest#getCookies() and determine its value. This way the server is able to obtain the associated HttpSession and give it back by every call on HttpServletRequest#getSession().

To the point: the only thing which is stored in the client side is the session ID (in flavor of a cookie) and the HttpSession object (including all of its attributes) is stored in the server side (in Java's memory). You don't need to worry about session management youself and you also don't need to worry about the security.

See also:

Solution 2

All Java web frameworks support cookies or URL-encoded session IDs. They will chose the correct approach automatically, so there is nothing you need to do. Just request the session object from your container and it will handle the details.

[EDIT] There are two options: Cookies and a special URL. There are problems with both approaches. For example, if you encode the session in an URL, people can try to pass the session on (by putting the URL into a mail, for example). If you want to understand this, read a couple of articles about security and build app servers. Otherwise: Your Java app server will do the right thing for you. Don't think about it.

Solution 3

The cookie just stores the session ID, this ID is useless once the session has expired.

Solution 4

Servlet specification defines the API for accessing/setting session data in standard J2EE application. Also it defines that session data is stored on the server-side and nothing is transferred to the client except the session identifier. There are 2 mechanisms how session id is transferred:

1) request URL e.g. jessionid=....
2) cookie

Mechanism is determined automatically based on client capabilities.

EDIT. There is no best option, there is servlet specification that defines the way.

Solution 5

Http is a stateless, client-side pull only protocol.

To implement a stateful conversation over it, Java EE Web Server need to hide some information (which is sessionid) in client-side and the mechanism it can use should follow HTTP and HTML spec.

There are three ways to accomplish this goal:

  1. URL Rewriting: Server will add an additional parameter at the end of URL link.
  2. Hidden parameter in Form: server will add an additional parameter at every form in HTML.
  3. cookie: Server will ask browser to maintain a cookie.

Basically, modern web server will have a "filter" to choose which way to use automatically.
So if Server detected that browser already turn off cookie support, it will switch to other ways.

Share:
64,742
Sachin Chourasiya
Author by

Sachin Chourasiya

I am a self motivated software engineer.

Updated on July 09, 2022

Comments

  • Sachin Chourasiya
    Sachin Chourasiya almost 2 years

    Best way managing session in Java. I heard that cookies are not reliable option for this as they gets stored into browser and can be accessed later on? Is this correct? If possible please come up with the answers with the coding example.

    Which is the best among:

    • URL Rewriting: Server will add an additional parameter at the end of URL link
    • Hidden parameter in Form: server will add an additional parameter at every form in HTML
    • cookie: Server will ask browser to maintain a cookie.
  • Andrey Adamovich
    Andrey Adamovich over 14 years
    JSF, Struts, SpringMVC are built on top of servlet specification.
  • Andrey Adamovich
    Andrey Adamovich over 14 years
    You can call for request.getSession().getAttribute() from anywhere where you have access to request object, not just form JSP.
  • Aaron Digulla
    Aaron Digulla over 14 years
    There are no other options, so the question doesn't make sense.
  • Sachin Chourasiya
    Sachin Chourasiya over 14 years
    @Aaron,Did you mean to say that cookies are the only available option?
  • Sachin Chourasiya
    Sachin Chourasiya over 14 years
    This question is related to servlets/JSP.
  • informatik01
    informatik01 almost 11 years
    Update: the current HTTP State Management Mechanism specification is RFC 6265, which obsoletes the previous spec RFC 2965. You may update the link in your answer which points to RFC 2965 (in "HTTP cookie spec").
  • Admin
    Admin almost 11 years
    @BalusC As per the above answer,if i use url rewritting then what is the way to store values and get values like session.setAttribute() and session.getAttribute().
  • Admin
    Admin almost 11 years
    @BalusC See I am using mozilla and i have manually blocked accepting cookies (unchecked allow cookies). Then i tried to store to using session.setAttribute("x",x); Now in another page i am using session.getAttribute(x); and the on the page it shows null. After reading your answer,i tried this way and after that i posted a comment.Is not this way to use session attributes?
  • BalusC
    BalusC almost 11 years
    @javaprogrammer: apparently you didn't do URL rewriting right.
  • Tim Biegeleisen
    Tim Biegeleisen about 5 years
    Your servlet spec link appears to be broken, and you should update your question if possible.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Storing username, pasword using cookies/sessions - Java Servlets
How can I put a cookie in Jersey RESTful webservice?
what's the deal with Cookie.setMaxAge(Integer.MAX_VALUE)?
Configuring session cookies in Weblogic
session id cookie in gwt rpc
Response already commited - java.lang.IllegalStateException: UT010019
How to remove a cookie
Get Cookies from ServletRequest
Difference between setting session timeouts using web.xml and setMaxInactiveInterval
How to activate secure cookies in Wildfly?