Meaningless Drivel is fun!*
The moose likes Servlets and the fly likes Session Tracking Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCM Java EE 6 Enterprise Architect Exam Guide this week in the OCMJEA forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Session Tracking" Watch "Session Tracking" New topic
Author

Session Tracking

sudipto shekhar
Ranch Hand

Joined: Apr 02, 2008
Posts: 823

Hello,

I know what is session tracking.
I am referring Head First Servlets&JSP. It talks about sessions, JSESSIONID, cookies, adding cookies etc. What I did not understand is how do we do session tracking? As like when the user logs in how do I associate a user with a session? I went through some codes over the internet but still the whole thing is not so clear.

In a servlet

gets me a session.To this session object I can stick an attribute with the username(or the more relevant/reliable data) and can retrieve it throughout my application.

How do we verify further whether the user is from a particular session?

Correct me if I am wrong A cookie is associated with a particular session, which can carry a small amount of data back and forth the server and client and is stored at the client side.

So how is cookie used for managing sessions?
When and how does 'JSESSIONID' comes into play for session handling?

I seek this help as I am new bee and do not have a work experience.
Any kind of help would be very helpful.

This is just a question so feel free to answer.

Thank you.
[ December 18, 2008: Message edited by: Sudipto Shekhar ]

Regards, Sud.
SCJP 5 ScjpFAQ JLS
Steve Luke
Bartender

Joined: Jan 28, 2003
Posts: 4181
    
  21

Originally posted by Sudipto Shekhar:
Hello,

...



...

Not quite true. The getSession(true) statement will get the current users session, and if there is no current user session, a new one will be made. If you call getSession(false) it will get the current users session, and if there is no current user session it will return null. The getSession() (no argument method) behaves just like getSession(true).

Originally posted by Sudipto Shekhar:
How do we verify further whether the user is from a particular session?

Correct me if I am wrong A cookie is associated with a particular session, which can carry a small amount of data back and forth the server and client and is stored at the client side.

So how is cookie used for managing sessions?
When and how does 'JSESSIONID' comes into play for session handling?


This is all handled for you by the server. When a session is first made for a user, the server adds a JSESSIONID cookie to the response with a unique ID to associate a session with the user. Each time the user makes a request to the server the same JSESSIONID cookie is sent back to the server by the browser (again, automatically by the browser).

When you call the request.getSession() method the server looks for the JSESSIONID cookie that the browser sends with the request. If it exists, then the server looks up the id in a table of HttpSession objects and returns the correct one for you. If the cookie does not exist, or if the id can't be found in the table then a new HttpSession object is made, the new id is stored in the table, a new JSESSIONID cookie added to the response, and the session is returned to you.

You don't need to handle session lookups yourself, you let the server do it for you.


Steve
sudipto shekhar
Ranch Hand

Joined: Apr 02, 2008
Posts: 823

Ok.
How do I associate a particular user to a session? I am sorry, i did not get this?
Or a particular user remains in his session until the session expires or when the session is invalidated ?
Why don't i get the cookie named JSESSIONID from the array of Cookies sent from the client when it iterate through the array,and using if(cookie.getName().equals("JSESSIONID")) cookie.getValue()?


When a session is first made for a user, the server adds a JSESSIONID cookie to the response with a unique ID to associate a session with the user.


So you mean to say I do not have to keep the track of which user is of a particular session!
A user is associated to his own session and this is done by the container, with the help of 'JSESSIONID' named cookie.

Each time a new request comes to the server and a new session is created "HttpSession session=request.getSession();" the container adds a cookie to response named 'JSESSIONID'.

So when the user has travelled through several pages in the application he is in his session and it is maintained by the container.
Correct?
Please correct me if i am wrong somewhere in understanding you.
Thank you very much Steve for your help.
Steve Luke
Bartender

Joined: Jan 28, 2003
Posts: 4181
    
  21

Originally posted by Sudipto Shekhar:
Ok.
How do I associate a particular user to a session? I am sorry, i did not get this?
Or a particular user remains in his session until the session expires or when the session is invalidated ?

Correct, the user remains in session until the session expires or the session is invalidated.

Originally posted by Sudipto Shekhar:

Why don't i get the cookie named JSESSIONID from the array of Cookies sent from the client when it iterate through the array,and using if(cookie.getName().equals("JSESSIONID")) cookie.getValue()?

Hmm, I don't know, I never actually tried looking it up. It may be filtered out by the server. I will have to check it out.


Originally posted by Sudipto Shekhar:
So you mean to say I do not have to keep the track of which user is of a particular session!
A user is associated to his own session and this is done by the container, with the help of 'JSESSIONID' named cookie.

Each time a new request comes to the server and a new session is created "HttpSession session=request.getSession();" the container adds a cookie to response named 'JSESSIONID'.

So when the user has travelled through several pages in the application he is in his session and it is maintained by the container.
Correct?
Please correct me if i am wrong somewhere in understanding you.
Thank you very much Steve for your help.


That is correct. When the user FIRST hits your site, a new session is made and the JSESSIONID cookie is created and sent to the user. From then on, the Cookie gets sent back to the server, and the server puts the user in the SAME session that was used on the first page.

So when a user has traveled through several pages in the application he is in the same session the entire time, all maintained be the container.

I am not sure how far you have read in the book, but you should soon come to the question of what happens when the user turns cookies off, how are sessions maintained then? This can be done, and I will let you read through the book to get the details, but the idea is you will end up having to do some session management to protect yourself against these cases (look for key words like URL Rewriting or encodeURL).

But for the introductory stuff, sessions are maintained by cookies and the server handles all the IDs / session lookup stuff for you. All you have to do is call request.getSession();
[ December 18, 2008: Message edited by: Steve Luke ]
sudipto shekhar
Ranch Hand

Joined: Apr 02, 2008
Posts: 823

Originally posted by Steve Luke:

sessions are maintained by cookies and the server handles all the IDs / session lookup stuff for you. All you have to do is call request.getSession();



This is the place where the whole thing got messed up.
But now I am clear.
Thanks to you Steve.
And yes I have gone through the chapter. When cookies are disabled the session is still maintained by the container through response.encodeURL(); and this information is exchanged between the client and the server by appending 'JSESSIONID' to the url.

So where there is session there is cookie and vice versa.

Thank you Steve, very much for your help.

Let me know if you come to know about the cookie.getName().equals("JSESSIONID") thing.

Thanks once again. Have a nice time.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Session Tracking