Servlet Session Tracking

advertisement
Servlet Session Tracking
Persistent information

A server site typically needs to maintain two kinds
of persistent (remembered) information:

Information about the session


A session starts when the user logs in or otherwise identifies
himself/herself, and continues until the user logs out or
completes the transaction (for example, makes a purchase)
Information about the user


User information must generally be maintained much longer
than session information (for example, remembering a
purchase)
This information must be stored on the server, for example on
a file or in a database
2
Server capabilities

Servlets, like Applets, can be trusted or untrusted





A servlet can use a unique ID to store and retrieve information about a
given session
User information usually requires a login ID and a password
Since servlets don’t quit between requests, any servlet can maintain
information in its internal data structures, as long as the server keeps
running
A trusted servlet can read and write files on the server, hence can maintain
information about sessions and users even when the server is stopped and
restarted
An untrusted servlet will lose all information when the servlet or server
stops for any reason


This is sometimes good enough for session information
This is almost never good enough for user information
3
Session tracking

HTTP is stateless: When it gets a page request, it has no
memory of any previous requests from the same client



This makes it difficult to hold a “conversation”
 Typical example: Putting things one at a time into a
shopping cart, then checking out--each page request must
somehow be associated with previous requests
The server must be able to keep track of multiple
conversations with multiple users
Session tracking is keeping track of what has gone
before in this particular conversation



Since HTTP is stateless, it does not do this for you
You have to do it yourself, in your servlets
You can do this by maintaining a session ID for each user
4
Session tracking solutions

Hidden <form> fields can be used to store a unique ID
for the session

Cookies are small files that the servlet can store on the
client computer, and retrieve later

URL rewriting: You can append a unique ID after the
URL to identify the user

Java’s Session Tracking API can be used to do most of
the work for you
5
Hidden <form> fields

<input type="hidden" name="sessionID" value="...">

Advantages:

All you need to know is how to read servlet parameters




Efficient: Minimizes repeated calls to the server
Disadvantages:



String sessionID = getParameter("sessionID");
out.println("<input type=\"hidden\" name=\"sessionID\" value=\" +
sessionID + "\">");
Not kept across sessions, so useless for maintaining persistent
information about a user
Since the session ID must be incorporated into every HTML page, every
HTML page must be dynamically generated
Hidden fields are good for session tracking (holding a
“conversation” with the user)--they’re simple and efficient
6
Using hidden <form> fields, I

The very first request that the user sends you will (typically)
have null for the value of your hidden field


Each subsequent request will include this hidden field



When your servlet sees the null, it can assign a unique session ID and
include it in a hidden field in the response
The servlet can keep session information in some data structure of its
own, keyed by the session ID
This is feasible because the servlet does not quit between requests, so it
can maintain information in its memory
You cannot assume the user will end the session the way you
think she should (say, by logging off)

If the session data is sufficiently “old,” you need to assume the user isn’t
coming back, and discard the session data
7
Using hidden <form> fields, II

The session ID does not have to be the only hidden field




You can have other fields in addition to, or instead of, a
session ID field
This might be a good way to keep track of small amounts of
simple information during a session
Hidden fields are not particularly well suited to holding
complex or structured information
In all cases, hidden <form> fields are good only for
storing session information

Information in servlet data structures will eventually be lost
(when the servlet quits) or get old and be discarded
8
Cookies

A cookie is a small bit of text sent to the client that can be read
again later

Limitations (for the protection of the client):





Not more than 4KB per cookie (more than enough in general)
Not more than 20 cookies per site
Not more than 300 cookies total
Cookies are not a security threat
Cookies can be a privacy threat



Cookies can be used to customize advertisements
Outlook Express allows cookies to be embedded in email
A servlet can read your cookies


Incompetent companies might keep your credit card info in a cookie
Netscape and Firefox let you refuse cookies to sites other than that to which
you connected
9
Using cookies



import javax.servlet.http.*;
Constructor: Cookie(String name, String value)
Assuming request is an HttpServletRequest and response
is an HttpServletResponse,
 response.addCookie(cookie);
 Cookie[ ] cookies = request.getCookies();



String name = cookies[i].getName();
String value = cookies[i].getValue();
There are, of course, many more methods in the
HttpServletRequest, HttpServletResponse, and
Cookie classes in the javax.servlet.http package
10
Some more Cookie methods


public void setComment(String purpose)
 public String getComment()
public void setMaxAge(int expiry)
 public int getMaxAge()




Max age in seconds after which cookie will expire
If expiry is negative, delete when browser exits
If expiry is zero, delete cookie immediately
setSecure(boolean flag)
 public boolean getSecure()

Indicates to the browser whether the cookie should only be sent using a
secure protocol, such as HTTPS or SSL
11
What cookies are good for

Advantages:



Java’s Session Tracking API (to be discussed) makes cookies dead
simple to use
Cookies can easily contain more data than hidden fields
Data is stored on the client computer, not on yours



Disadvantages:

Data is stored on the client computer, not on yours




This saves space on the server
May let you avoid keeping track of multiple(session) data structures
This means the data is neither safe nor secure
Should not be used for user data--cookies may be discarded or the user
may contact the server from another computer
Users can tell their browser to turn cookies off
Cookies are good for keeping session data, not user data
12
Java’s session tracking API, I

Here’s how you get a session ID from the request:


Here’s what this does for you:



HttpSession session = request.getSession();
If the session includes a session ID cookie
then find the session matching that session ID
else (no session ID cookie or no matching session)
create a new session
This method does all the cookie work for you
Whether the session is a new one or a pre-existing one,
you get an HttpSession for it
13
Java’s session tracking API, II

Here’s how you send a cookie in the response:


What this does for you:






HttpSession session = request.getSession();
Creates a new HttpSession object, or retrieves a previous one
Creates a unique session ID
Makes a new cookie object
Associates the cookie with the session ID
Puts the cookie in the response (under the Set-Cookie header)
Notice that:


This is exactly the same call as in the previous slide
The message is sent to the request, not the response
14
Using an HttpSession

session.setAttribute(String name, Object value)


object = session.getAttribute(String name)


You can get rid of an object you no longer need
boolean session.isNew()


You can find the names of all your objects
session.removeAttribute(String name)


You can retrieve your saved objects by name
Enumeration e = session.getAttributeNames()


You can save objects in an HttpSession
true if the session is newly created, rather than retrieved
String id = session.getId()

You can get the session ID (if you’re debugging, or just curious)
15
Quitting an HttpSession

session.invalidate()

Quits the session and unbinds any objects in it

milliseconds = session.getCreationTime()
 (since midnight January 1, 1970 GMT)
milliseconds = session.getLastAccessedTime()
 (again, since 1970)
session.setMaxInactiveInterval(int seconds)
 Sets the time until the session is automatically invalidated
int seconds = session.getMaxInactiveInterval()

So the Session API does nearly everything you need!



16
URL rewriting

If the user has cookies turned off, you can use URL
rewriting


URL rewriting adds the session ID to the end of every
URL:


URL rewriting is only used as a backup for cookies
URL + ;jsessionid=0ABCDEF98765
This is almost automatic, but:


Cookies must fail, and
You must explicitly “encode” (add the extra information to)
your URLs, for example:

out.println("<a href=\"" + response.encodeURL(yourURL) +
"\">click me</a>");
17
What the Container does

If you are using the Session API,




When the Container (Tomcat) starts a new session, it sends a
cookie and does URL rewriting
If it gets a cookie back, it abandons URL rewriting
The Container can’t just send a cookie and see if it gets
it back, because it can’t tell that what it gets back is
from the same session
A “dumb” Container may always send the cookie and
do URL rewriting each time
18
More HttpServletRequest methods

public HttpSession getSession()


public Enumeration getHeaderNames()


Given the header name, return its value
public int getIntHeader(String name)




Gets an Enumeration of all the field names in the HTTP header
public String getHeader(String name)


Gets the session object for this request (or creates one if necessary)
Given the header name, return its value as an int
Returns -1 if no such header
Could throw a NumberFormatException
public Enumeration getHeaders(String name)

Given the header name, return an Enumeration of all its values
19
Summary: Session Tracking API


The session tracking API is in javax.servlet.http.HttpSession and is
built on top of cookies
To use the session tracking API:
 Create a session:


HttpSession session = request.getSession();
 Returns the session associated with this request
 If there was no associated session, one is created
Store information in the session and retrieve it as needed:


session.setAttribute(name, value);
Object obj = getAttribute(name);

Session information is automatically maintained across requests

To allow URL rewriting, use response.encodeURL(yourURL)
20
Other uses of cookies




Cookies were devised for managing sessions, but you
can use them for other things
You can use cookies for storing small amounts of
information on your client computers
By default, cookies are discarded when the browser
quits
cookie.setMaxAge(int seconds)



If seconds is positive, cookie should persist for that long
If seconds is negative, cookie is deleted when browser quits
If seconds is zero, cookie is deleted immediately
21
Summary

A session is a continuous interaction with the user




HTTP is stateless, so the programmer must do something to
remember session information
There are multiple ways to remember session information
The session ends when the user quits the browser (or a session may
be set to time out)
Some information must be kept longer than just within a
session


For example, if the user orders a product, that information must be
kept in a database
Long-term storage of information requires that the servlet have
some additional privileges
22
The End
23
Download