Java Servlets and Sessions
Download
Report
Transcript Java Servlets and Sessions
Comp2513
Java Servlets and Sessions
Daniel L. Silver, Ph.D.
Objectives
To review the problem that the HTTP
connectionless environment poses for ECommerce
Solution 1: hidden fields
Solution 2: cookies
Solution 3. session control
Reference: DDEA Ch.7, Sharma p.110-122
and EJP (Ch.4) p.48-63
2001
Daniel L. Silver
2
Websphere Java Servlet
Request Processing
Client
http://eagle.acadiau.ca/demo/servlet/HelloWorld
Browser
HTML
Internet
Tomcat
App. Server
JVM
HTTP
Server
servlet/HelloWorld
HelloWorld.class
demo/servlet/ equates to
…/demo/WEB-INF/classes/HelloWorld.class
2001
Daniel L. Silver
3
HTTP is Connectionless
The HTTP protocol is connectionless
Knowledge of prior pages visited or, for
example, products placed in a shopping cart
are easily lost
So how can server applications maintain a
sense of a session with a client?
– hidden fields
– cookies
– session control
2001
Daniel L. Silver
4
Hidden Fields in HTML
Solution comes from CGI period
Server hides session information within HTML
returned to the client
FORM field INPUT type can be set to “hidden”
<INPUT TYPE=“hidden” NAME=“itemsbought”
VALUE=“209087,342901”>
Field name and value will be returned to the server
by the client when the client submits the form
request to the server
2001
Daniel L. Silver
5
Hidden Fields in HTML
Example:
http://eagle.acadiau.ca:8080/danstech/HiddenFields.html
Problems with this method?
– User can see the hidden info (use source view)
– Causes a lot of additional HTTP traffic
– Session info is lost if HTML (that contains
hidden fields) is lost
2001
Daniel L. Silver
6
Servlets and Cookies
Solution comes from CGI period but has evolved with Java
servlets
Servlets send a small piece of data to the client that gets
written to a secure disk area:
How does the servlet do this?
Cookie c = new Cookie(name, value);
…
response.addCookie(c)
So the session data (products placed in the users shopping
cart) can be stored in cookie
Or simply an ID can be placed in the cookie and the server
can maintain the session data
2001
Daniel L. Silver
7
Servlets and Cookies
Client browsers will check to see if there is
a cookie associated with any request to a
server (URL) or a particular server/path …
The server can establish the URL specifics:
Cookie c = new Cookie(name, value);
c.setDomain(“eagle.acadiau.ca”);
c.setPath(“/”);
Could be more specific if desired … the
above is the default
2001
Daniel L. Silver
8
Servlets and Cookies
Whenever a new request is sent to the
server it checks to see if a cookie is
included:
Cookie[] cookies = request.getCookies();
for (int i = 0; i < cookies.length; i++) {
Cookie c = cookies[i];
String name = c.getName();
String value = c.getValue();
…
}
2001
Daniel L. Silver
9
Servlets and Cookies
A cookie is established by the server in the HTTP response
header:
Content-type: text/html
Set-Cookie: name=value; expires=Sat, 26-Aug-95 15:45:30 GMT; path=/;
domain=eagle.acadiau.ca
expires= determines the life of the cookie
expires= a negative value (default), then cookie expires when the browser
exits, so it is never written to disk
expires=0 tells the browser to delete the cookie immediately
To set a cookie’s life in seconds use the Cookie method:
setMaxAge(int expiry)
2001
Daniel L. Silver
10
Servlets and Cookies
Example 1 – A Session cookie:
http://eagle.acadiau.ca:8080/examples/servlets/index.html
– Full source code
http://eagle.acadiau.ca/demo/CookieExample.java
Example 2 – A Persistent Cookie
http://eagle.acadiau.ca/demo/PersistentCookieExample.html
- Full source code
http://eagle.acadiau.ca/demo/PersistentCookieExample.java
Problems with this method?
–
–
–
–
2001
Cookies have limit life (servlet, browser) and size (4k bytes)
Maximum number of cookies set by browser
User may disable cookie acceptance
Can be inefficient in terms of data communications
Daniel L. Silver
11
Servlets and Cookies
For more information on cookies see
Netscape's Cookie Specification at
http://home.netscape.com/newsref/std/cookie_spec.html
Or RFC 2109 at
http://www.ietf.org/rfc/rfc2109.txt
Or http://www.cookiecentral.com.
2001
Daniel L. Silver
12
Servlets and Sessions
Solution is most commonly used with Java
servlets and JSPs
The Servlet JDK comes with HTTP class
that facilitates session management HttpSession
A session is a connection between a client
and server that persists over multiple HTTP
request / responses
2001
Daniel L. Silver
13
Servlets and Sessions
A new session is established by using the
getSession() method of HttpSession class:
HttpSession session = req.getsession(true);
If parameter = “true” the servlet engine checks to
see if an session already exists, if so a handle is
returned, otherwise a new session is created
Therefore, more than one servlet can participate in
a session
Cookies are used to identify a session on the client
2001
Daniel L. Silver
14
Servlets and Sessions
Session objects contain various information:
HttpSession session = request.getSession();
out.println(rb.getString("sessions.id") + " " + session.getId());
out.println("<br>"); [NOTE: rb is a resource bundle class –
replace rb.getString() with ASCII text for your own purposes]
out.println(rb.getString("sessions.created") + " ");
out.println(new Date(session.getCreationTime()) + "<br>");
out.println(rb.getString("sessions.lastaccessed") + " ");
out.println(new Date(session.getLastAccessedTime()));
2001
Daniel L. Silver
15
Servlets and Sessions
2001
Data stored as attribute-value pairs
Three key HttpSession methods:
– setAttribute(dataName, dataValue)
– getAttributeNames(), getAttribute(dataName)
Examples:
String dataName = request.getParameter("dataname");
String dataValue = request.getParameter("datavalue");
if (dataName != null && dataValue != null) {
session.setAttribute(dataName, dataValue);
}
Enumeration names = session.getAttributeNames();
while (names.hasMoreElements()) {
String name = (String) names.nextElement();
String value = session.getAttribute(name).toString();
out.println(name + " = " + value + "<br>");
}
Daniel L. Silver
16
Servlets and Sessions
Example:
http://eagle.acadiau.ca:8080/examples/servlets/index.html
– Full source code
http://eagle.acadiau.ca/demo/SessionExample.java
Problems with this method?
– Normally, HTTPSession terminates when
browser is closed
– You may wish to have a business session
(shopping tour) extend beyond browser
closures
2001
Daniel L. Silver
17
THE END
[email protected]