SESSION TRACKING
HTTP is a “stateless” protocol: each time a client retrieves a Web page, it opens a separate connection to the Web server, and the server does not automatically maintain contextual information about a client. Even with servers that support persistent (keep-alive) HTTP connections and keep a socket open for multiple client requests that occur close together in time there is no built-in support for maintaining contextual information. This lack of context causes a number of difficulties. For example, when clients at an on-line store add an item to their shopping carts, how does the server know what’s already in them? Similarly, when clients decide
to proceed to checkout, how can the server determine which previously created shopping carts are theirs?
There are three typical solutions to this problem: cookies, URL-rewriting, and hidden form
fields.
Cookies
Cookies are small bits of textual information that a server sends to a browser and that the browser returns unchanged when later visiting the same Web site or domain. By letting the server read information it sent the client previously, the site can provide visitors with a number of conveniences such as presenting the site the way the visitor previously customized it or letting identifiable visitors in without their having to enter a password.
To handle cookies servlet api provides Cookie class. Method summary of javax.servlet.http.Cookie class:
Cookie(String name, String value)
Constructs a cookie with a specified name and value.
String getName()
Returns the name of the cookie.
String getValue()
Returns the value of the cookie.
void setMaxAge(int expiry)
Sets the maximum age of the cookie in seconds.
To send cookies to the client, a servlet should create one or more cookies with designated names and values with new Cookie(name, value), set any optional attributes with cookie.setXxx (readable later by cookie.getXxx), and insert the cookies into the response headers with response.addCookie(cookie). To read incoming cookies, a servlet should call request.getCookies, which returns an array of Cookie objects corresponding to the cookies the browser has associated with our site (this is null if there are no cookies in the request). In most cases, the servlet loops down this array until it finds the one whose name (getName) matches the name it had in mind, then calls getValue on that Cookie to see the value associated with that name.
A simple example using cookies to identify new client and old client—
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
public class CookieDemo extends HttpServlet {
public void doGet(HttpServletRequest request,HttpServletResponse response)
throws ServletException,IOException {
response.setContentType("text/html");
PrintWriter out=response.getWriter();
Cookie c[]=request.getCookies();
if(c==null) {
out.println("New Client");
Cookie c1=new Cookie("key1","value1");
c1.setMaxAge(60);
response.addCookie(c1);
} else {
out.println("Old Client");
Cookie d=c[0];
out.println(d.getName());
out.println(d.getValue()); }
}
}
Output:
1st request -- New Client
2nd request -- Old Client key1 value1
URL-Rewriting
With this approach, the client appends some extra data on the end of each URL that identifies the
session, and the server associates that identifier with data it has stored about that session. For
example, with http://host/path/file.html;jsessionid=1234, the session information is attached as
jsessionid=1234. This is also an excellent solution, and even has the advantage that it works
when browsers don’t support cookies or when the user has disabled them. However, it has most
of the same problems as cookies, namely, that the server-side program has a lot of
straightforward but tedious processing to do. In addition, we have to be very careful that every
URL that references our site and is returned to the user (even by indirect means like Location
fields in server redirects) has the extra information appended. And, if the user leaves the session
and comes back via a bookmark or link, the session information can be lost.
Hidden Form Fields
HTML forms can have an entry that looks like the following: <INPUT TYPE="HIDDEN"
NAME="session" VALUE="..."> This entry means that, when the form is submitted, the
specified name and value are included in the GET or POST data. This hidden field can be used to
74
store information about the session but it has the major disadvantage that it only works if every
page is dynamically generated.
Session Tracking in Servlets
Servlets provide an outstanding technical solution: the HttpSession API. This high-level interface
is built on top of cookies or URL-rewriting. In fact, most servers use cookies if the browser
supports them, but automatically revert to URL-rewriting when cookies are unsupported or
explicitly disabled.
HttpSession Methods
Object getValue(String name)
Object getAttribute(String name)
Extracts a previously stored value from a session object. Returns null if no value is associated
with given name.
void putValue(String name, Object value)
void setAttribute(String name, Object value)
Associates a value with a name. If value implements HttpSessionBindingListener, its
valueBound method is called. If previous value implements HttpSessionBindingListener, its
valueUnbound method is called.
void removeValue(String name)
void removeAttribute(String name)
Removes any values associated with designated name. If value beingremoved implements
HttpSessionBindingListener, its valueUnbound method is called.
String[] getValueNames()
Enumeration getAttributeNames()
Returns the names of all attributes in the session.
String getId()
Returns the unique identifier generated for each session.
boolean isNew()
Returns true if the client (browser) has never seen the session; false otherwise.
getCreationTime()
Returns time at which session was first created (in milliseconds since
1970). To get a value useful for printing, pass value to Date constructor
or the setTimeInMillis method of GregorianCalendar.
long getLastAccessedTime()
Returns time at which the session was last sent from the client.
int getMaxInactiveInterval()
75
void setMaxInactiveInterval(int seconds)
Gets or sets the amount of time, in seconds, that a session should go without access before being
automatically invalidated. A negative value indicates that session should never time out. Not the
same as cookie expiration date.
public void invalidate()
Invalidates the session and unbinds all objects associated with it.
A simple servlet that shows basic information about the client’s session. When the client
connects, the servlet uses request.getSession( true) to either retrieve the existing session or, if
there was no session, to create a new one. The servlet then looks for an attribute of type Integer
called accessCount. If it cannot find such an attribute, it uses 0 as the number of previous
accesses. This value is then incremented and associated with the session by putValue. Finally,
the servlet prints a small HTML table showing information about the session. Figures show the
servlet on the initial visit and after the page was reloaded several times.
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.net.*;
import java.util.*;
/** Simple example of session tracking. See the shopping
* cart example for a more detailed one.
*/
public class ShowSession extends HttpServlet {
public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
String title = "Session Tracking Example";
HttpSession session = request.getSession(true);
String heading;
// Use getAttribute instead of getValue in version 2.2.
Integer accessCount =
(Integer)session.getValue("accessCount");
if (accessCount == null) {
accessCount = new Integer(0);
heading = "Welcome, Newcomer";
} else {
heading = "Welcome Back";
accessCount = new Integer(accessCount.intValue() + 1);
}
// Use setAttribute instead of putValue in version 2.2.
session.putValue("accessCount", accessCount);
out.println(ServletUtilities.headWithTitle(title) +
"<BODY BGCOLOR=\"#FDF5E6\">\n" +
"<H1 ALIGN=\"CENTER\">" + heading + "</H1>\n" +
"<H2>Information on our Session:</H2>\n" +
"<TABLE BORDER=1 ALIGN=\"CENTER\">\n" +
"<TR BGCOLOR=\"#FFAD00\">\n" +
" <TH>Info Type<TH>Value\n" +
76
"<TR>\n" +
" <TD>ID\n" +
" <TD>" + session.getId() + "\n" +
"<TR>\n" +
" <TD>Creation Time\n" +
" <TD>" +
new Date(session.getCreationTime()) + "\n" +
"<TR>\n" +
" <TD>Time of Last Access\n" +
" <TD>" +
new Date(session.getLastAccessedTime()) + "\n" +
"<TR>\n" +
" <TD>Number of Previous Accesses\n" +
" <TD>" + accessCount + "\n" +
"</TABLE>\n" +
"</BODY></HTML>");
}
/** Handle GET and POST requests identically. */
public void doPost(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
doGet(request, response);
}}
Output:
77
to proceed to checkout, how can the server determine which previously created shopping carts are theirs?
There are three typical solutions to this problem: cookies, URL-rewriting, and hidden form
fields.
Cookies
Cookies are small bits of textual information that a server sends to a browser and that the browser returns unchanged when later visiting the same Web site or domain. By letting the server read information it sent the client previously, the site can provide visitors with a number of conveniences such as presenting the site the way the visitor previously customized it or letting identifiable visitors in without their having to enter a password.
To handle cookies servlet api provides Cookie class. Method summary of javax.servlet.http.Cookie class:
Cookie(String name, String value)
Constructs a cookie with a specified name and value.
String getName()
Returns the name of the cookie.
String getValue()
Returns the value of the cookie.
void setMaxAge(int expiry)
Sets the maximum age of the cookie in seconds.
To send cookies to the client, a servlet should create one or more cookies with designated names and values with new Cookie(name, value), set any optional attributes with cookie.setXxx (readable later by cookie.getXxx), and insert the cookies into the response headers with response.addCookie(cookie). To read incoming cookies, a servlet should call request.getCookies, which returns an array of Cookie objects corresponding to the cookies the browser has associated with our site (this is null if there are no cookies in the request). In most cases, the servlet loops down this array until it finds the one whose name (getName) matches the name it had in mind, then calls getValue on that Cookie to see the value associated with that name.
A simple example using cookies to identify new client and old client—
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
public class CookieDemo extends HttpServlet {
public void doGet(HttpServletRequest request,HttpServletResponse response)
throws ServletException,IOException {
response.setContentType("text/html");
PrintWriter out=response.getWriter();
Cookie c[]=request.getCookies();
if(c==null) {
out.println("New Client");
Cookie c1=new Cookie("key1","value1");
c1.setMaxAge(60);
response.addCookie(c1);
} else {
out.println("Old Client");
Cookie d=c[0];
out.println(d.getName());
out.println(d.getValue()); }
}
}
Output:
1st request -- New Client
2nd request -- Old Client key1 value1
URL-Rewriting
With this approach, the client appends some extra data on the end of each URL that identifies the
session, and the server associates that identifier with data it has stored about that session. For
example, with http://host/path/file.html;jsessionid=1234, the session information is attached as
jsessionid=1234. This is also an excellent solution, and even has the advantage that it works
when browsers don’t support cookies or when the user has disabled them. However, it has most
of the same problems as cookies, namely, that the server-side program has a lot of
straightforward but tedious processing to do. In addition, we have to be very careful that every
URL that references our site and is returned to the user (even by indirect means like Location
fields in server redirects) has the extra information appended. And, if the user leaves the session
and comes back via a bookmark or link, the session information can be lost.
Hidden Form Fields
HTML forms can have an entry that looks like the following: <INPUT TYPE="HIDDEN"
NAME="session" VALUE="..."> This entry means that, when the form is submitted, the
specified name and value are included in the GET or POST data. This hidden field can be used to
74
store information about the session but it has the major disadvantage that it only works if every
page is dynamically generated.
Session Tracking in Servlets
Servlets provide an outstanding technical solution: the HttpSession API. This high-level interface
is built on top of cookies or URL-rewriting. In fact, most servers use cookies if the browser
supports them, but automatically revert to URL-rewriting when cookies are unsupported or
explicitly disabled.
HttpSession Methods
Object getValue(String name)
Object getAttribute(String name)
Extracts a previously stored value from a session object. Returns null if no value is associated
with given name.
void putValue(String name, Object value)
void setAttribute(String name, Object value)
Associates a value with a name. If value implements HttpSessionBindingListener, its
valueBound method is called. If previous value implements HttpSessionBindingListener, its
valueUnbound method is called.
void removeValue(String name)
void removeAttribute(String name)
Removes any values associated with designated name. If value beingremoved implements
HttpSessionBindingListener, its valueUnbound method is called.
String[] getValueNames()
Enumeration getAttributeNames()
Returns the names of all attributes in the session.
String getId()
Returns the unique identifier generated for each session.
boolean isNew()
Returns true if the client (browser) has never seen the session; false otherwise.
getCreationTime()
Returns time at which session was first created (in milliseconds since
1970). To get a value useful for printing, pass value to Date constructor
or the setTimeInMillis method of GregorianCalendar.
long getLastAccessedTime()
Returns time at which the session was last sent from the client.
int getMaxInactiveInterval()
75
void setMaxInactiveInterval(int seconds)
Gets or sets the amount of time, in seconds, that a session should go without access before being
automatically invalidated. A negative value indicates that session should never time out. Not the
same as cookie expiration date.
public void invalidate()
Invalidates the session and unbinds all objects associated with it.
A simple servlet that shows basic information about the client’s session. When the client
connects, the servlet uses request.getSession( true) to either retrieve the existing session or, if
there was no session, to create a new one. The servlet then looks for an attribute of type Integer
called accessCount. If it cannot find such an attribute, it uses 0 as the number of previous
accesses. This value is then incremented and associated with the session by putValue. Finally,
the servlet prints a small HTML table showing information about the session. Figures show the
servlet on the initial visit and after the page was reloaded several times.
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.net.*;
import java.util.*;
/** Simple example of session tracking. See the shopping
* cart example for a more detailed one.
*/
public class ShowSession extends HttpServlet {
public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
String title = "Session Tracking Example";
HttpSession session = request.getSession(true);
String heading;
// Use getAttribute instead of getValue in version 2.2.
Integer accessCount =
(Integer)session.getValue("accessCount");
if (accessCount == null) {
accessCount = new Integer(0);
heading = "Welcome, Newcomer";
} else {
heading = "Welcome Back";
accessCount = new Integer(accessCount.intValue() + 1);
}
// Use setAttribute instead of putValue in version 2.2.
session.putValue("accessCount", accessCount);
out.println(ServletUtilities.headWithTitle(title) +
"<BODY BGCOLOR=\"#FDF5E6\">\n" +
"<H1 ALIGN=\"CENTER\">" + heading + "</H1>\n" +
"<H2>Information on our Session:</H2>\n" +
"<TABLE BORDER=1 ALIGN=\"CENTER\">\n" +
"<TR BGCOLOR=\"#FFAD00\">\n" +
" <TH>Info Type<TH>Value\n" +
76
"<TR>\n" +
" <TD>ID\n" +
" <TD>" + session.getId() + "\n" +
"<TR>\n" +
" <TD>Creation Time\n" +
" <TD>" +
new Date(session.getCreationTime()) + "\n" +
"<TR>\n" +
" <TD>Time of Last Access\n" +
" <TD>" +
new Date(session.getLastAccessedTime()) + "\n" +
"<TR>\n" +
" <TD>Number of Previous Accesses\n" +
" <TD>" + accessCount + "\n" +
"</TABLE>\n" +
"</BODY></HTML>");
}
/** Handle GET and POST requests identically. */
public void doPost(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
doGet(request, response);
}}
Output:
77
No comments:
Post a Comment