Session Tracking Mechanisms in Servlets

To maintain the session between a web server and a web client, following methods can be used.

1. Cookies

To address the client subsequent request, the web server assigns a unique session ID as a cookie to the web client so that for the next oncoming requests, this cookie can be passed and the server can identify its validity and can process the request.

This is not considered an efficient approach as it is browser dependent and some browser at times doesn’t support a cookie. The general syntax follows.

Cookie cookie = new Cookie("sessionId", "123456");
response.addCookie(cookie);

2. Hidden Form Fields

A web server can also pass a hidden HTML form field as an input element along with a unique session ID as follows.

<input type = "hidden" name = "sessionId" value = "12345">

This simply adds the name and value on each and every request which the client sends to the server and the response is received, the session_id value can be used to track different browser actions.

Since clicking on a regular ankle tag (<a href=””>) hypertext link doesn’t results into form submission, so this can’s support general session tracking and so can’t be an efficient way to handle the transmission of information.

3. URL Rewriting

Simply appending the URL with some data or token as the session id which can be decoded at the server end, which can associate that data with its stored session values and can identify the legitimate request can be done by URL rewriting.

This appending can be done in the form of passing query parameters with a sessionid value. This can be accessed at the server side to identify the client request.

Though this can help to maintain the information flow between the server and the client and would be independent of the browser, but this is generated dynamically. Thus, this will not be considered a choice for static pages.

String urlWithSessionId = response.encodeURL("/api");

Session is used to save user information momentarily on the server. It starts from the instance the user logs into the application and remains till the user logs out of the application or shuts down the machine. In both cases, the session values are deleted automatically. Hence, it functions as a temporary storage that can be accessed till the user is active in the application and can be accessed when the user requests a URI. This session is stored in binary values, hence maintaining the security aspect, and can be decoded only at the server end.