Servlet Session Management

The Hypertext Transfer Protocol (HTTP) is the protocol that web servers and web browsers use to communicate with each other. HTTP connections are initiated by a client browser that sends an HTTP request. The web server then responds with an HTTP response and closes the connection. If the same client requests another resource from the server, it must open another HTTP connection to the server. The server always closes the connection as soon as it sends the response, whether or not the browser user needs some other resource from the server. That is why HTTP is said to be a stateless protocol.

Being stateless has huge implications. HTTP treats each request as a request from a new user. But it is not expected when we are doing any type of transactions or any other related work where persistence of the information is necessary.  To remove these obstacles we use session management. A session is pretty much what it sounds, when a user makes a page request to the server, the server creates a temporary session to identify that user. So when that same user goes to another page on that site, the server identifies that user. So a session is a small and temporary unique connection between a server and the user enabling it to identify that user across multiple page requests or visits to that site.

In session management whenever a request comes for any resource, a unique token is generated by the server and transmitted to the client by the response object and stored on the client machine as a cookie. We can also say that the process of managing the state of a web based client is through the use of session IDs. Session IDs are used to uniquely identify a client browser, while the server side processes are used to associate the session ID with a level of access. Thus, once a client has successfully authenticated to the web application, the session ID can be used as a stored authentication voucher so that the client does not have to retype their login information with each page request. Now whenever a request goes from this client again the ID or token will also be passed through the request object so that the server can understand from where the request is coming.


Significance of Session Management:

Hundreds and thousands of simultaneous users can be visiting a particular web site and if we can identify each of them separately then it can provide tremendous benefits to us. Following are only some of the uses which have come to my mind:

  • Customization: We can allow site visitors to customize the look and feel of our site, thus show each user a different view of our site. We can also show different content to different users depending on their preferences.
  • Security: We can allow membership based access to our site thus making sure that only members get to see special content on our site. After logging in we can identify members from non-members by setting an attribute on the user session to some value. Thus no need to log in again and again.
  • User Behavior: We can log user behavior like how many ad views have been shown to the user. If lots have been shown with no response from the user then it is time to change that ad. This is a great feature really, if we are into making an ad rotation software we can count how many ad views of which advertiser have been shown to the user and if user doesn’t click through then better change that ad with some other one instead of wasting ad views of the same ad on this user.

We will use four techniques for session management. They operate based on the same principle, although what is passed and how it is passed is different from one to another. The techniques are as follows:

  1. Session objects
  2. Cookies
  3. URL rewriting
  4. Hidden form fields