Preparing for Java and Spring Boot Interview?

Join my Newsletter, its FREE

4 ways of Session management in Servlets, JSP, and Java Web Applications

Session tracking or Session management is an important feature of modern web applications which allows the server to remember its clients. By keeping a session for each user, the Server can serve the client better. It also helps in safety, security, and personalization and must for certain kinds of web applications like e-commerce sites like Amazon or e-bay which stores items selected by the user for purchase in a shopping cart, even after the user is logged out. 

Since HTTP is a stateless protocol, there are no ways to know that two HTTP requests are related to each other i.e. they are coming from the same client or they are part of the same process. Session tracking is a mechanism that Servlets and Java Web applications use to maintain a state about a series of requests from the same user across some period of time. 

By keeping a session, an e-commerce site can maintain add to card facility and also keep track of how you interact with the application. Since HTTP doesn't provide a default way to track Sessions, there are some non-standard ways to manage Sessions in Servlet JSP-based applications. Let's have a close look at them.

Top 4 Types of Session Tracking in Servlet

Since Session management needs to work with all web browsers and also considers user's security preferences, often an identifier i.e. a SessionId is used to keep track of requests coming from the same client during a time duration. There are four main ways to manage Session in Java Web application written using Servlet and JSP.

1) URL rewriting
2) Cookies
3) Hidden Form fields
4) HTTPS and SSL

let's see them in a little bit more detail:

1. URL rewriting
URL rewriting is a method of session tracking in which some extra data (session ID) is appended at the end of each URL. This extra data identifies the session. The server can associate this session identifier with the data it has stored about that session. 

This method is used with browsers that do not support cookies or where the user has disabled the cookies. If you need to track Session from JSP pages, then you can use the <c:out> tag for URL-rewriting. It automatically encodes session identifiers in URL.

2. Hidden Form Fields
This is one of the oldest ways to do session tracking in the Servlet application. Similar to URL rewriting. The server embeds new hidden fields in every dynamically generated form page for the client. 

When the client submits the form to the server the hidden fields identify the client. You can further see Head First Servlet and JSP for more details on how to use the hidden form field to manage sessions in Servlet JSP.

3. Cookies
A cookie is a small amount of information sent by a servlet to a Web browser. A cookie is saved by the browser and later sent back to the server in subsequent requests. A cookie has a name, a single value, expiration date, and optional attributes. 

A cookie's value can uniquely identify a client. Since a client can disable cookies, this is not the most secure and fool-proof way to manage the session. If Cookies are disabled then you can fall back to URL rewriting to encode Session id e.g. JSESSIOINID into the URL itself.

Session management in Servlet and JSP

4. Secure Socket Layer (SSL) Sessions
Web browsers that support Secure Socket Layer communication can use SSL's support via HTTPS for generating a unique session key as part of the encrypted conversation. Modern days online internet banking websites, ticket booking websites, e-commerce retailers like Amazon and e-bay all use HTTPS to securely transfer data and manage the session. You can also see Murach's Java Servlets and JSP learn more about how HTTPS can be used with Java web applications.

That's all about different ways to track Session in Java Web application. Cookie was the most popular way to manage Session with a fallback to URL rewriting when Cookies are not enabled at the client-side. 

While more security-sensitive applications like online e-commerce portals like Amazon, Flipkart, eBay, online banking websites, travel booking websites, or any other websites which deal with sensitive information like personal, financial, or professional they use SSL and HTTPS to secures transfer and maintain them.


Feel free to comment, ask questions if you have any doubt.