4 ways of Session management in Servlet Java

Session tracking or Session management is an important feature of modern web applications which allows the server to remember it's clients. By keeping a session for each user, Server can serve the client better. It also helps in safety, security and personalization and must for certain kind of web applications e.g. e-commerce sites like Amazon or e-bay which stores item selected by the user for purchase in a shopping cart, even after the user is logged out. Since HTTP is a stateless protocol, there are no ways to know that two HTTP requests are related to each other i.e. they are coming from the same client or they are part of the same process. Session tracking is a mechanism that Servlets and Java Web application use to maintain state about a series of request from the same user across some period of time. By keeping a session, an e-commerce site can maintain add to card facility and also keep tracks of how you interact with the application. Since HTTP doesn't provide a default way to track Session, there are some non-standard ways to manage Sessions in Servlet JSP based application. Let's have a close look on them.

Types of Session Tracking in Servlet

Since Session management needs to work with all web browsers and also considers user's security preference, often an identifier i.e. a SessionId is used to keep track of request coming from the same client during a time duration. There are four main ways to manage Session in Java Web application written using Servlet and JSP.

1) URL rewriting
2) Cookies
3) Hidden Form fields
4) HTTPS and SSL

let's see them in little bit more detail:

URL rewriting
URL rewriting is a method of session tracking in which some extra data (session ID) is appended at the end of each URL. This extra data identifies the session. The server can associate this session identifier with the data it has stored about that session. This method is used with browsers that do not support cookies or where the user has disabled the cookies. If you need to track Session from JSP pages, then you can use <c:out> tag for URL-rewriting. It automatically encodes session identifier in URL.

Hidden Form Fields
This is one of the oldest ways to do session tracking in Servlet application. Similar to URL rewriting. The server embeds new hidden fields in every dynamically generated form page for the client. When the client submits the form to the server the hidden fields identify the client. See Head First Servlet and JSP for more details on how to use hidden form field to manage session in Servlet JSP.

How to manage session in Servlet JSP application

A cookie is a small amount of information sent by a servlet to a Web browser. A cookie is saved by the browser and later sent back to the server in subsequent requests. A cookie has a name, a single value, expiration date and optional attributes. A cookie's value can uniquely identify a client. Since a client can disable cookies, this is not the most secure and fool-proof way to manage the session. If Cookies are disabled then you can fallback to URL rewriting to encode Session id e.g. JSESSIOINID into the URL itself.

Session management in Servlet and JSP

Secure Socket Layer (SSL) Sessions
Web browsers that support Secure Socket Layer communication can use SSL's support via HTTPS for generating a unique session key as part of the encrypted conversation. Modern days online internet banking website, ticket booking websites, e-commerce retailers like Amazon and e-bay all use HTTPS to security transfer data and manage the session. You can also see Murach's Java Servlets and JSP to learn more about how HTTPS can be used with Java web application.

That's all about different ways to track Session in Java Web application. Cookie was the most popular way to manage Session with a fallback to URL rewriting when Cookies are not enabled at the client side. While more security sensitive applications e.g. online e-commerce portals like Amazon, FlipCart, EBay, online banking websites, travel booking websites, or any other websites which deal with sensitive information e.g. personal, financial or professional they use SSL and HTTPS to secures transfer and maintain them.

Further Learning
Java Web Fundamentals By Kevin Jones
Spring Framework 5: Beginner to Guru
JSP, Servlets and JDBC for Beginners: Build a Database App


  1. What is default method to track sessions?

  2. By default user sessions are maintained using ......


Feel free to comment, ask questions if you have any doubt.