aspose file tools*
The moose likes Servlets and the fly likes role of cookie in session Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "role of cookie in session" Watch "role of cookie in session" New topic
Author

role of cookie in session

priya kakkar
Greenhorn

Joined: May 12, 2007
Posts: 25
I am new to servles and was trying to make an application.
I want to save a value for a sequence of jsp's
If I have an option to use Httpsession or Cookie it is said that Httpsession is better to use.
But I came to know that httpsession also saves values in cookie

Some one please clarify how cookie is differnt from session as when I am using using Httpsession ,cookie is used too

I am really confused
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Session actually use cookies (or, more accurately, can use them).

Sessions are used to store objects, in memory or in a database, on the server.
With cookies, you either save the data on the user's machine or save a key on their machine that can be used to look up the data on the server.

The biggest advantage to HttpSessions (to me anyway) is that the container does most of the work for you.


Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
priya kakkar
Greenhorn

Joined: May 12, 2007
Posts: 25
When session uses cookie what do we store in cookie,is it the session ID

If it id same can be done by using ckkoie too
What does container do in case of httpsession (which we need to do ourself when using cookie)

Also how is the following work done ?
"With cookies, you either save the data on the user's machine or save a key on their machine that can be used to look up the data on the server."
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

Originally posted by priya kakkar:

Also how is the following work done ?
"With cookies, you either save the data on the user's machine or save a key on their machine that can be used to look up the data on the server."


The servlet engine does it for you, automatically.

It is, however, considered much better form to store a key or nonce in the cookie, and use the key/nonce to look up data on your server. Never trust data from a client machine.
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Originally posted by priya kakkar:
When session uses cookie what do we store in cookie,is it the session ID

As mentioned earlier, we don't do anything.
The container will handle this for you.
The container does store a unique key in the cookie.
You can see this with any tool that allows you to view HTTP headers such as the Firebug or LiveHttpHeaders plugins for FireFox.
Cookie: JSESSIONID=FF1F6BE29387AC0B224BAF926FB09B23



Originally posted by priya kakkar:

If it id same can be done by using ckkoie too
What does container do in case of httpsession (which we need to do ourself when using cookie)

It generates the unique string, passes it to the browser, reads it back.
It also insures that you are under a separate session when you switch to SSL which is an important security feature. It matches it up to the HttpSession object residing in memory (or in some cases a database). It also handles replication if you're using clustered containers.



Originally posted by priya kakkar:

Also how is the following work done ?
"With cookies, you either save the data on the user's machine or save a key on their machine that can be used to look up the data on the server."

I think my answer to question one should cover this one too.
priya kakkar
Greenhorn

Joined: May 12, 2007
Posts: 25
I can get that attribute cab be saved in following two ways:

First:

and get it in next servlet by


Second:

and get it from cookie in next servlet like




Please tell the difference if any in both methods ?
In both scenarios container will use cookies

[ August 26, 2007: Message edited by: priya kakkar ]

[BSouther: Added UBB CODE tags]
[ August 26, 2007: Message edited by: Ben Souther ]
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Originally posted by priya kakkar:

Please tell the difference if any in both methods ?
In both scenarios container will use cookies


I think, if you read all the posts in this thread, you'll find that we already have; but maybe not clearly enough.

In the first of your two examples, you're saving the 'name' value to session.
It is going to stored, in memory, on the server. It will never need to be sent back to the browser. The only thing that will go to the browser is the sessionID (most likely as a cookie but possibly as part of the URL in a link, or if you're under SSL, the container may use the session handling mechanism provided by the SSL protocol).

In the second example, you've stored the actual value in a cookie. It will be passed back to the browser in an HTTP header and stored on the client's machine. In all subsequent requests, the browser will pass that value back to you in the HTTP cookie header.

If all you're tracking is a name value, either way will be fine (although, your example shows that it's much more work to use your own cookies).

But... What if you wanted to store a password.
Would you want the user's password to be stored in clear text in the browser? Would you want it being passed back and forth, in clear text, with every request? If you do this and the user accesses your site on a shared machine, anyone else can come along later, read the cookies stored on that machine and see the password.

What if you wanted to store a lot of data.
There is a limit to how much you can put in a cookie (it's browser dependent) and there is a limit to how much data you would want to have to pass back and forth with each and every request. If it's stored in session, it never has to be passed back and forth. You're only passing the key (sessionID).

Lastly, cookies can only be used to store strings.
What if you wanted to store a HashMap with references to other complex objects? Session attributes store references to Java objects so they can be used for keeping track of a much more diverse set of values.
[ August 26, 2007: Message edited by: Ben Souther ]
priya kakkar
Greenhorn

Joined: May 12, 2007
Posts: 25
Thanka a ton
You clarified my doubts a lot
sethuraman sukumaran
Greenhorn

Joined: Jul 14, 2004
Posts: 11
Thanks a lot Ben! Yours is the best explanation I ever read for the difference between a HttpSession and a cookie


Thanks & Regards,<br />Sethu.<br /> <br />SCJP 1.4 - 90%<br />SCWCD 1.4 - 88%
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: role of cookie in session