Which Session tracking is really good to implement? I guess there are three methods. 1. HttpSession 2. Cookie 3. URL Rewriting.
I did not understand the 3. However, It seems that 1 and 2 have sort of same operations. what we do is put some value<->attribute pair in HttpSession object or Cookie object. but Cookie is created in the client's PC whereas HttpSession is not.
Also I am confused on differences between 1 and 2.
Originally posted by dilip agheda: Which Session tracking is really good to implement? I guess there are three methods. 1. HttpSession 2. Cookie 3. URL Rewriting.
Servlet/JSP containers provide session management through interface HttpSession. Generally, the containers try to use cookie to save session state on the client. If the client doesn't allow cookies or user has disabled cookies then the containers usually try to do session management using URL rewriting.
[Edited] URL rewriting works where cookies would not. Those URLs looks long and pretty bad. Its difficult to bookmark those URLs.
Spec decitates that session tracking cookie should be JSESSIONID. This cookie is passed back and forth between the client and the container. The session tracking cookie is binded into Session Object which you can get a reference using
HttpSession session = request.getSession();
Container will fall back to URL Rewriting only when the client browser doesn't accept cookies.
Thanks for the reply. But still confusion. As all of you are saying that HttpSession (which is first method as i mentioned) is achieved using either Cookie or URL Rewriting. But If I assume that Cookie or URL rewriting are taken care by the container behind the scenes then where in Servlet API, Cookie class exist?
Because If you look at what Cookie class can do is essentially same as HttpSession. Also for URL Rewriting, I have method like encodeURL.
Another Question: Suppose i have scenario like this: I want to store username in a session so that when i redirect to another servlet/page, it is available in that. For that should i use cookie or HttpSession?
But If I assume that Cookie or URL rewriting are taken care by the container
The container can manage the JSESSIONID cookie, but URL rewriting is entirely up to the programmer. The container can recognize that a new request uses a URL that has been rewritten, but thats all. Bill
In general, all the options are good under their own circumstances. Perhaps if you mentioned what in particular you wanted to do with the data we'd be better able to advice which is the best for you in your situation.
For user login, as previously mentioned, its a toss up between cookies or sessions. Most of the time cookies wins out but there are cases (such as when the user's login is tied to specific server processes) that cookies are not the best.