Session Tracking in Java Servlets: A Comprehensive Guide, Study notes of Software Engineering

Session Tracking in Java Servlets Material Type: Notes; Class: Software Eng for WWW; Subject: Software Engineering; University: George Mason University; Term: Unknown 1989;

Typology: Study notes

Pre 2010

Uploaded on 02/12/2009

koofers-user-ut9
koofers-user-ut9 🇺🇸

10 documents

1 / 4

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
Session Tracking in Java Servlets
Ye Wu
http://www.ise.gmu.edu/~wuye/
SWE 642
Software Engineering for the World Wide Web
sources: Java for the Web with Servlets, JSP and EJB, Kurniawan,
New Riders
Professional Java Server Programming, Patzer, Wrox
10/6/2003 © Dr. Wu and Dr. Offutt 2
Session State Information
The initial versions of the web suffered from a
lack of state:
If you wanted multiple screens, there was no way
for data to be accumulated or stored
HTML
Form Server HTML
Page
Data info
D1
D1+D2+D3
Form1 Form2 Form3 Server
Form4 Server
D1+D2 D1+D2+D3
D1+D2+D3+D4
10/6/2003 © Dr. Wu and Dr. Offutt 3
Session Tracking
Web sites that are service-oriented need to
maintain user states
This is called session tracking
10/6/2003 © Dr. Wu and Dr. Offutt 4
Session Tracking (2)
Session tracking refers to passing data from one HTTP
request to another
Servlets can use several methods to do session
tracking:
1. Include data as extra parameters in URL (rewriting)
2. Hidden form fields
3. Cookies
Servlet API session tracking tools
4. Sessions using the Secure Sockets Layer (SSL)
(not discussed in J2EE edition of text)
Session: A series of related interactions between a client and
a web server (similar to a use case)
10/6/2003 © Dr. Wu and Dr. Offutt 5
Session Tracking (3)
Request with a Token
Client
C
Server
S
Response with a Token
All four work by exchanging a token between the client
and the server.
10/6/2003 © Dr. Wu and Dr. Offutt 6
Non-servlet Methods (Stone Age)
1) URL Rewriting
Forms usually add parameters
URL ? P1=v1 & P2=v2 & P3=v3 & …
You can add values in the URL as a parameter:
HREF = "./servlet/X ? SneakyParam=42">
or: User=george">
This is used as a key to find the saved information about
the user george.
Messy and clumsy
Long URLs
Information on URL is public
All HTML pages must be created dynamically
pf3
pf4

Partial preview of the text

Download Session Tracking in Java Servlets: A Comprehensive Guide and more Study notes Software Engineering in PDF only on Docsity!

Session Tracking in Java Servlets

Ye Wu http://www.ise.gmu.edu/~wuye/ SWE 642 Software Engineering for the World Wide Web sources: Java for the Web with Servlets, JSP and EJB, Kurniawan, New Riders Professional Java Server Programming, Patzer, Wrox

10/6/2003 © Dr. Wu and Dr. Offutt 2

Session State Information

  • The initial versions of the web suffered from a lack of state:
  • If you wanted multiple screens, there was no way for data to be accumulated or stored

HTML Form Server^

HTML Page

Data info

D D1+D2+D

Form1 Form2 Form3 Server

Form4 Server

D1+D2 D1+D2+D

D1+D2+D3+D

10/6/2003 © Dr. Wu and Dr. Offutt 3

Session Tracking

  • Web sites that are service-oriented need to maintain user states
  • This is called session tracking

10/6/2003 © Dr. Wu and Dr. Offutt 4

Session Tracking (2)

  • Session tracking refers to passing data from one HTTP request to another
  • Servlets can use several methods to do session tracking:
  1. Include data as extra parameters in URL (rewriting)
  2. Hidden form fields
  3. Cookies Servlet API session tracking tools
  4. Sessions using the Secure Sockets Layer (SSL) (not discussed in J2EE edition of text) Session : A series of related interactions between a client and a web server (similar to a use case)

Session Tracking (3)

Client^ Request with a Token C

Server Response with a Token S

All four work by exchanging a token between the client and the server.

Non-servlet Methods (Stone Age)

1) URL Rewriting

  • Forms usually add parameters URL? P1=v1 & P2=v2 & P3=v3 & …
  • You can add values in the URL as a parameter: HREF = "./servlet/X? SneakyParam=42"> or: User=george">
  • This is used as a key to find the saved information about the user george.
  • Messy and clumsy
  • Long URLs
  • Information on URL is public
  • All HTML pages must be created dynamically

10/6/2003 © Dr. Wu and Dr. Offutt 7

Non-servlet Methods

2) Hidden Form Fields

  • Generate HTML pages with forms that store "hidden" information:
  • Somewhat clumsy
  • Insecure
  • All HTML pages must be created dynamically

10/6/2003 © Dr. Wu and Dr. Offutt 8

Non-servlet Methods

3) Cookies

  • Cookies are small files or text strings stored on the client's computer
  • Created by the web browser
  • Arbitrary strings, but usually var=value pairs or XML
  • Java coding: Cookie c = new Cookie ("user", "george"); c.setMaxAge (52460*60); // expires in 5 days, in seconds response.addCookie (c); // sends cookie to client. CookieTest.java

10/6/2003 © Dr. Wu and Dr. Offutt 9

Non-servlet Methods

3) Cookies – cont.

  • Cookies are very useful and simple
  • Not stored with the HTML content
  • Convenient way to solve a real problem
  • But cookies are scary!
    • It's as if I stored my files at your house
    • Cookies go way beyond session tracking
    • Cookies provide a way to do behavior tracking

10/6/2003 © Dr. Wu and Dr. Offutt 10

Bronze-age method

3.b) Servlet API

  • The servlet API uses cookies to provide a simple, safe, flexible method for session tracking
  • Cookies are handled automatically
  • HttpSession stores data in the current active object
  • Data disappears when the object is destroyed
  • Object is destroyed after the session ends, usually 30 minutes after the last request

The servlet API uses cookies to provide a simple, safe, flexible method for session tracking

Servlet API (2)

  • String getID() : Returns the session ID.
  • void invalidate() : Removes the current session.
  • Enumeration getAttributeNames() : Returns an enumeration of all the value names that are stored for this session.
  • Object getAttribute (String name) : Returns the value stored for the given name.
  • void setAttribute (String name, Object attribute) : Adds an item to the session.
  • void removeAttribute (String name) : Removes an item from the session. SessionLifeCycleServlet.java

Servlet API (3)

  • These methods are not synchronized
  • Multiple servlets can access the same session object at the same time
  • If this can happen, your program should synchronize the code that modifies the shared session attributes

10/6/2003 © Dr. Wu and Dr. Offutt 19

Servlet Context (2)

  • Normally, each servlet is mapped to a specific URI: hermes.gmu.edu:8080/swe64201/servlet/ServletTest
  • For servlet contexts, each context must be mapped to a path prefix: $CATALINA_HOME/classes/swe64201/WEB-INF/classes

domain path maps to servlet

10/6/2003 © Dr. Wu and Dr. Offutt 20

Installing Servlets that Use Servlet

Contexts

  • The system administrator must tell:
    • Server about contexts: where /what directory is
    • Servlet engine: a name mapping for the servlet pages
    • Server: to start contexts upon initialization
  • Servlets share information through the following methods:
    1. getAttribute()
    2. setAttribute()
    3. removeAttribute()
    4. getInitParameter()
  • Obtain servlet context ServletContext context = getServletContext();

10/6/2003 © Dr. Wu and Dr. Offutt 21

Servlet Collaboration

  • Servlet Chaining
    • You configure the servlet engine to do the chaining
    • Not supported by the Java Servlet API
  • Request Dispatching A servlet or a JSP page dispatches a request to another servlet, JSP page or html file. ( Note: The servlets and JSP pages has to be in the same context ) - Forward(request, response) - Include(request,response) 10/6/2003 © Dr. Wu and Dr. Offutt 22

RequestDispatch Object

  • getServletContext().getRequestDispatcher(String path) Path has to be the absolute path to the context.
  • getServletContext().getNamedDispatcher(String name) Look into the web.xml file for <servlet-name> element.
  • Request.getRequestDispatcher(String path) Path has to be the absolute path or relative path to the context /myApp/servlet/servlet1 forwards to /myApp/servlet/servlet2, absolute path is “/servlet/servlet2” relative path is “servlet2”

RequestDispatcher Interfaces

  • Forward() method Forward the request to another servlet or a JSP page, or an HTML file for producing the response. ( Note: original servlet or JSP can not commit any output to the response )
  • Include() method Include the content produced by another resource in the calling servlet’s response.

Forward and sendRedirect

  • Forward – intra-server communication
  • sendRedirect – client-server round-trip communication
  • Forward – all resource has to be in the same context no matter it’s absolute or relative references
  • sendRedirect – Doesn’t matter.
  • Our advise: use sendRedirect whenever possible and use forward whenever necessary.