Web Application Development

* These slides have been adapted and modified from CoreServlets course material (Marty Hall) and LUMS cs391 (Umair Javed).

HTTP is a stateless protocol Every request is considered independent of every

other request

Many web applications need to maintain a conversational state with the client A shopping cart is a classic example

Example Conversations When clients at on-line store add item to

their shopping cart, how does server know what’s already in cart?

When clients decide to proceed to checkout, how can server determine which previously created cart is theirs?

Server Side? Makes Server Really Complicated State per client!

Client Side?

Server puts little notes on the client side

When client submits the next form, it also (unknowingly) submits these little notes

Server reads the notes, remembers who the client is

Credit: Programming the World Wide Web Book by Sebesta

Cookies Advantages

▪ Cookies do not require any server resources since they are stored on the client. 

▪ Cookies are easy to implement. ▪ You can configure cookies to expire when the

browser session ends (session cookies) or they can exist for a specified length of time on the client computer (persistent cookies). 

Disadvantages▪ Users can delete cookies. ▪ Users browser can refuse cookies, so your code

has to anticipate that possibility. 

URL Rewriting Advantage

▪ Works even if cookies are disabled or unsupported

Disadvantages▪ Lots of tedious processing▪ Must encode all URLs that refer to your own

site▪ Links from other sites and bookmarks can fail

For example, the following URLs have been rewritten to pass the session id 123 Original

http://server:port/servlet/rewrite

Extra path informationhttp://server:port/servlet/rewrite/123

Added parameterhttp://server:port/servlet/rewrite?id=123

Custom changehttp://server:port/servlet/rewrite;$id$123

Hidden Fields Advantage

▪ Works even if cookies are disabled or unsupported

Disadvantages▪ Lots of tedious processing▪ All pages must be the result of form

submissions

<input type=“hidden” name=“sessionid” value=“123”>

Session objects live on the server

Automatically associated with client via cookies or URL-rewriting

Checks for a cookie or URL extra info

1. To get the user’s session object

Call getSession( ) method of HTTPServletRequest class

pass false to the getSession() method HttpSession ses = request.getSession(false);

If no current session exists:

▪ You will get a null object

1. To get the user’s session object (cont.)

If true is passed to the getSession() method then

If user already has a session

▪ the existing session is returned

For example: HttpSession ses = request.getSession(true);

If no session exists

▪ a new one is created and returned

2. Storing information in a session Session objects works like a HashMap

▪ HashMap is able to store any type of java object

You can therefore store any number of keys and their values

For example ses.setAttribute(“id”, “123”);

key Value

3. Looking up information associated with a session

String sID = (String)ses.getAttribute(“id”);

returns an Object type, so you will need to perform a type cast

4. Terminating session

Automatic

▪ After the amount of time session gets terminated automatically( getMaxInactiveInterval( ) )

Manual ses.invalidate();

HttpServletResponse provides two methods to perform encoding

1. String encodeURL(String URL)

2. String encodeRedirectURL(String URL)

If Cookies disabled Both methods encodes (rewrites) the specified URL to

include the session ID and returns the new URL

If Cookies enabled Returns the URL unchanged

1. String encodeURL(String URL)

For example

String URL = “/servlet/sessiontracker”; String eURL = response.encodeURL(URL);

out. println("<A HREF=\"" + eURL + "\">...</A>");

2. String encodeRedirectURL(String URL)

For exampleString URL = “/servlet/sessiontracker”;

String eURL = response.encodeRedirectURL(URL); response.sendRedirect(eURL);

Amazon

Servlet Container

Session ID = 123XYZ

Shopping Cart sc[item 1=324]

Request

Credit: cs193i at Standford

Amazon

Servlet Container

Session ID = 123XYZ

Shopping Cart sc[item 1=324]

Response:Set-Cookie: sid=123XYZ

Credit: cs193i at Standford

Amazon

Servlet Container

Session ID = 123XYZ

Shopping Cart sc[item 1=324]

Request:Set-Cookie: sid=123XYZ

Credit: cs193i at Standford

Amazon

Servlet Container

Session ID = 123XYZ

Shopping Cart sc[item 1=324 item 2=115]

Request:Set-Cookie: sid=123XYZ

Credit: cs193i at Standford

getAttribute (getValue in old servlet spec 2.1) Extracts a previously stored value from a session

object. Returns null if no value is associated with given name.

setAttribute (putValue in ver. 2.1) Associates a value with a name. Monitor changes:

values implement HttpSessionBindingListener. removeAttribute (removeValue in ver. 2.1)

Removes values associated with name.

getCreationTime Returns time at which session was first created

getLastAccessedTime

Returns time at which session was last sent from client

getMaxInactiveInterval, setMaxInactiveInterval Gets or sets the amount of time session should

go without access before being invalidated invalidate

Invalidates the session and unbinds all objects associated with it

Although it usually uses cookies behind the scenes, the session tracking API is higher-level and easier to use than the cookie API If server supports URL-rewriting, your code unchanged

Session information lives on server Cookie or extra URL info associates it with a user

Obtaining session request.getSession(true)

Associating values with keys session.setAttribute (or session.putValue)

Finding values associated with keys session.getAttribute (or session.getValue)

▪ Always check if this value is null