Session Tracking - 2

Lec 32

Last Lecture Review Session Tracking – why?

Need to store state – typical solutions

Cookies – already learned URL Rewriting Hidden Form Fields

Session Tracking

Amazon

Servlet Container

Session ID = 123XYZ

Shopping Cart sc[item 1=324]

Request

Credit: cs193i at Standford

Session Tracking

Amazon

Servlet Container

Session ID = 123XYZ

Shopping Cart sc[item 1=324]

Response:Set-Cookie: sid=123XYZ

Credit: cs193i at Standford

Session Tracking

Amazon

Servlet Container

Session ID = 123XYZ

Shopping Cart sc[item 1=324]

Request:Set-Cookie: sid=123XYZ

Credit: cs193i at Standford

Session Tracking

Amazon

Servlet Container

Session ID = 123XYZ

Shopping Cart sc[item 1=324 item 2=115]

Request:Set-Cookie: sid=123XYZ

Credit: cs193i at Standford

URL Rewriting

URL Rewriting We can pass extra information to client by rewriting URLs.

(appending info with URL)

The extra information can be in the form of Extra path information,

Added parameters, or

Some custom, server-specific URL change

Due to limited space available in rewriting a URL, the extra information is usually limited to a unique session ID

URL Rewriting: Examples For example, the following URLs have been rewritten

to pass the session id 123

Originalhttp://server:port/servlet/rewrite

Extra path informationhttp://server:port/servlet/rewrite/123

Added parameterhttp://server:port/servlet/rewrite?id=123

Custom changehttp://server:port/servlet/rewrite;$id$123

URL Rewriting: Disadvantages What if the user bookmarks the page?

Every URL on a page which needs the session information must be rewritten each time page is served Computationally expensive Can increase communication overhead

State stored in URLs is not persistent

Limits the client’s interaction with the server to HTTP GET request

Hidden Form Fields

Hidden Form Fields <input type=“hidden” name=“sessionid” value=“123”>

Java’s Solution forSession Tracking

HttpSession API

Using HttpSession1. To get the user’s session object

Call getSession( ) method of HTTPServletRequest class

pass false to the getSession() method HttpSession ses = request.getSession(false);

If no current session exists: You will get a null object

Using HttpSession cont.1. To get the user’s session object (cont.)

If true is passed to the getSession() method then

If user already has a session the existing session is returned

For example: HttpSession ses = request.getSession(true);

If no session exists a new one is created and returned

Using HttpSession cont.2. Storing information in a session

Session objects works like a HashMap HashMap is able to store any type of java object

You can therefore store any number of keys and their values

For example

ses.setAttribute(“id”, “123”);

key Value

Using HttpSession cont.3. Looking up information associated

with a session

String sID =

(String)ses.getAttribute(“id”);

returns an Object type, so you will need to perform a type cast

Using HttpSession cont.4. Terminating session

Automatic After the amount of time session gets terminated

automatically( getMaxInactiveInterval( ) )

Manual

ses.invalidate();

Example Code

Showing Session Information

Encoding URLs Sent to Client HttpServletResponse provides two methods to

perform encoding

1. String encodeURL(String URL)

2. String encodeRedirectURL(String URL)

If Cookies disabled Both methods encodes (rewrites) the specified URL to

include the session ID and returns the new URL

If Cookies enabled Returns the URL unchanged

Encoding URLs Sent to Client cont.1. String encodeURL(String URL)

For example

String URL = “/servlet/sessiontracker”; String eURL = response.encodeURL(URL);

out. println("<A HREF=\"" + eURL + "\">...</A>");

Encoding URLs Sent to Clientcont.2. String encodeRedirectURL(String URL)

For exampleString URL = “/servlet/sessiontracker”;

String eURL = response.encodeRedirectURL(URL); response.sendRedirect(eURL);

Example Code

Online Book Store