Session Tracking

(or)
Session, Session Management &
Client State Persistance
=======================

01) What is a session?

02) What is a session Tracking or session management?
03) Why do we need session tracking?
04) What is client state persistance?
05) What is the procedure of traking a session?
06) What is the problem if we donot track a session?
07) What are the different session traking techniques?
08) What are the pros & cons of each technique?

09) Understanding session tracking using HttpSession

01. Session tracking procedure in HttpSession
02. Creating & retrieving session object from servlet
03. HttpSession methods
04. Servlet program to display session information
05. Destroying session
1. after session timeout &
2. manually before session timeout
06. Different ways of setting session timeout & their priority
07. Listener object to track session creation & destroying
08. Difference between
req.getSession(), req.getSession(true) & req.getSession(false)
09. Servlet program to identify "session time out"
10. Servlet program to
1. Create session in login action
2. Sharing it in next requests
3. Close session manually in logout action
11. A client registration application using session object
12. A ShoppingCartServlet application to show
client state persistance.

=============== * ============== * ============

Basic Idea:

HTTP protocol and Web Servers are stateless.

It means that web servers cant identify this new request is coming from old client
it has been sending request previously.

So for web server every request is a new request, even though client is old client.

Because of stateless nature client given data will not be stored

then we have below two problem is:-

Either we loose the previous request data

or
This request's response data is sent to wrong client.

Hence we need a machanism

- to identify the current request is from old client and
- to store old request data in server & make it available
for next requests of this client.

This mechanism is nothing but session tracking.

 Session Traking = Session + Client state
Management persistance
=============================================
Session Management means sharing Session ID between Web server & web client.

Client state persistance means storing client data in server.

=============================================

What is a session?
A session is a time interval between a client login & logout [or first
request to last request].

Or

A session is a conversation between client & server.

A conversation(session) consists series of continuous request and response.

What is a session tracking or session management?

Session tracking is the process of
"identifying the new request is coming whether from old client or from
another new client".

Why do we need session tracking?

For client state persistance &

For identifying or grouping multiple requests are belongs to the same client
and further for storing & sharing a client's "all requests data" between client and
server in every request & response.

There is no inbuild support from webserver for session tracking, we must

implement it explicitly in servlet program.

What is client state persistance?

Storing client given request data and make it available for its next requests
until the session is closed is called client state persistance.

For example:
In mobile recharge operation, the web application must remember mobile number
& recharge amount for the next multiple requests until recharge is completed.

Hence in this application we must implement session tracking with client

state persistance.

Problem if we donot track session?

Data mismatch & security problems will occure because one client data may be
given to another client.

For example:
In a shopping cart application a client keeps on adding items into his cart
in multiple requests. When every request is made, the server should identify in
which clients cart the item is to be added or who is sending checkout request so
that it can charge the amount from correct client.

Solution with session tracking:

When a client makes a request, it should introduce itself as old client by
providing unique identifier every time.
This unique id should be generated by web server & should share it to web client.
Then web client will send this session id in every next request as shown in above
"paytm" application.

Seesion Tracking Techniques(methods):

To achieve Session Tracking we must use one of the below five methods.

1. Hidden Form Fields

2. URL Rewriting
3. Cookies
4. HttpSession

All above five approaches has a set of pros and cons.

In first three approaches, requests data can not be stored in server, data is moved
to-&-fro between client & server until last request.

These four approaches increases burdan on network & cost effective.

Solution is, from all requests data must be stored in server seperatly for each
client with a unique id (called session id), then session id only must be sent in
every request and respose.

This session traking technique is implemented with HttpSession. Client state is

stored in server system using HttSession object .

Understanding session tracking using HttpSession object

==========================================
When new user sends request to webserver

ServletContainer will check for Set-Cookie request header, if exist, then it checks
whether it contains header value with name "jsessionid=BCDGRE5438....." (32 chars)
or not

If doesn't exist, servlet container creates new HttpSession object with sessionid
and one map type buffer object for each session, sends that session object into
servlet service() by wrapping in a request object.

Servlet will further uses that session object to persist client request data.

During the first response servlet container adds jsessionid to response header
"Set-Cookie" and sends to web browser.

Browser stores that information in client harddisk using a temporary file called
"cookie" and resends the jsessionid to web server from the next request onwards.

Q) When servlet container creates session object?

Q) Will servlet container creates session object for a client
automatically by itself?
A) Servlet container will not create session for a client by
itself. Servlet container creates /starts session for a client only if
servlet is requested by calling request.getSession() method.

Q) Will servlet container destroyes session automatically?

A) Yes, after its session time out.

Q) What is the meaning of session timeout?

A) session inactive interval time from last accessed time.
Q) What is the default inactive interval time for a session?
A) 30 minutes.

Q) Can we change session inactive interval time either

decrease of increase?
A) Yes.

Q) What are the different ways for changing seesion time out?
A) We have two ways
1. Programmitic approach using
session.setMaxInactiveIntervalTime( 5 );

2. Declarative approach using

web.xml file tag <session-config>

<session-config>
<session-timeout>5</session-timeout>
</session-config>

Assume we have set 5 as time in above two approaches,

Diff #1:
In first approach session object is destroyed, within 5 seconds if we
don't send next request

In first approach session object is destroyed, within 5 minutes if we

don't send next request

Diff #2:
In First approach session time out is applicable to only current
servlet

In Second approach, session time out is applicable to all servlets

configured in this web.xml file.

Diff #3:
In First approach session time out
-> 0 represents session is destroyed immediatly
-> -ve number represents session is never destroyed

In Second approach, session time out

-> 0 & -ve number represents session is never destroyed

Note: If we used both approaches, session.setMaxInactiveIntervalTime() value

is applied to servlet.

Q) Can we destroy session manually before its timeout?

A) Yes, it is possible by calling session.invalidate() method

General procedure:
1. In websites, we will create session in LoginServlet
2. We will use in BLogic Servlets
3. We will destroy it in LogoutServlet by calling
sesion.invalidate() method

HttpSession Methods:
HttpSession interface provides two set of methods
1. For viewing session information
2. For storing client data in session
Methods for creating session:
======================
public HttpSession getSession()
public HttpSession getSession(boolean create)

Above two methods are given in HttpServletRequest interface.

Q) What is the difference between

req.getSession(), req.getSession(true) & req.getSession(false)?

A) req.getSession() method always creates new session object and returns its
reference, if session is not existed for this requested client. If already session
is existed, it returns the same session object reference.

req.getSession(true) method functionality is exactly same as req.getSession()

method. req.getSession() method internally calls req.getSession(true) method.

req.getSession(false) method will not create new session object, it always returns
existed session object. If session is not existed, it returns null.

Project coding:
In LoginServlet we will call req.getSession() method
to create new session.

In remaing all servlets we will call req.getSession(false)

to get already created session object. Then only previous request data will
be avaiable to next request.

Q) What will be the problem if we use req.getSession() method in BLogic servlet, it

also will return existed session?
A) Here problem is
if client send request after session time out, req.getSession() method
creates new session object and returns its reference to servlet, then servlet
executes its logic using this new session object, then NPE will be raised, because
in this new session previous request data will not be existed.

So to solve this problem we must use req.getSession(false) method. We must

place if condition in BLogic servlet to continue its logic execution.

If req.getSession(false) returns null, stop execution and prints "session

time out" message to client, else continue execution.