SECTION 5: DESIGNING AND DEVElOPING SERVLETS USING SESSION MANAGEMENT

Section 5
5.1 Identify the interface and method for each of the following:
  • Retrieve a session object across multiple requests to the same or different servlets within the same WebApp
  • Store objects into a session object
  • Retrieve objects from a session object
  • Respond to the event when a particular object is added to a session
  • Respond to the event when a session is created and destroyed
  • Expunge a session object
5.2 Given a scenario, state whether a session object will be invalidated.
5.3 Given that URL-rewriting must be used for session management, identify the design requirement on session-related HTML pages.

Section 5 - Designing and Developing Servlets Using Session Management

5.1 Identify the interface and method for each of the following:

  1. Retrieve a session object across multiple requests to the same or different servlets within the same WebApp
    • public HttpSession HttpServletRequest.getSession([boolean create])
    • if no argument provided, then server will automatically create a new session object if none exists for the user in the web app context
    • to make sure the session is properly maintained, getSession must be called at least once before committing the response
    • sessions are scoped at the web application level; so a servlet running inside one context cannot access session information saved by another context.
    • behind the scenes, the client's session id is usually saved on the client in a cookie called JSESSIONID. For client that don't support cookies, the session ID can be sent as part of a rewritten URL, encoded using a jsessionid path parameter.
    • note that a requested session id may not match the id of the session returned by the getSession() method, such as when the id is invalid. one can call req.isRequestedSessionIDValid() to test if the requested session id (that which was defined in the rewritten url or the persistent cookie) is valid.

  2. Store objects into a session object
    • public void HttpSession.setAttribute(String name, Object value) throws IllegalStateException
    • binds the specified object under the specified name. Any existing binding with the same name is replaced.
    • IllegalStateException thrown if session being accessed is invalid

  3. Retrieve objects from a session object
    • public Object HttpSession.getAttribute(String name) throws IllegalStateException
      -- returns the object bound under the specified name or null if there is no binding
    • public Enumeration HttpSession.getAttributeNames() throws IllegalStateException
      -- returns all bound attribute names as an enumeration of Strings (empty enum if no bindings)
    • public void HttpSession.removeAttribute(String name) throws IllegalStateException
      -- removes binding or does nothing if binding does not exist

  4. Respond to the event when a particular object is added to a session
    • any object that implements the javax.servlet.http.HttpSessionBindingListener interface is notified when it is bound to or unbound from a session.
    • public void valueBound(HttpSessionBindingEvent event) is called when the object is bound to a session
    • public void valueUnbound(HttpSessionBindingEvent event) is called when the object is unbound from a session, by being removed or replaced, or by having the session invalidated

  5. Respond to the event when a session is created and destroyed
    • An object that implements the HttpSessionListener interface is notified when a session is created or destroyed in its web app context
    • interfaces (or classes): javax.servlet.http.HttpSessionListener
    • methods:
      void sessionCreated(HttpSessionEvent e)
      void sessionDestroyed(HttpSessionEvent e)
      - called when session is destroyed (invalidated)
    • behavior in a distributable: sessions may migrate from one jvm or machine to another; hence the session destroy event may occur on a different jvm/machine than the session create event.

  6. Expunge a session object
    • public void HttpSession.invalidate()
      - causes the session to be immediately invalidated. All objects stored in the session are unbound. Call this method to implement a "logout".

5.2 Given a scenario, state whether a session object will be invalidated.

  1. ideally, a session would be invalidated as soon as the user closed his browser, browsed to a different site, or stepped away from his desk. Unfortunately, there's no way for a server to detect any of these events.
  2. session may expire automatically, after a set timeout of inactivity (tomcat default is 30 minutes)
  3. timeout can be overridden in web.xml file by specifying 
      <web-app>…
      <session-config>
          <session-timeout> 60</session-timeout>
      </session-config> 
  </web-app>
  4. timeout can be overridden for a specific session by calling HttpSession.setMaxInactiveInterval(int secs) - negative value indicates session should never time out.
  5. session may expire manually, when it is explicitly invalidated by a servlet by calling invalidate()
  6. a server shutdown may or may not invalidate a session, depending on the capabilities of the server
  7. when a session expires (or is invalidated), the HttpSession object and the data values it contains are removed from the system; if you need to retain information beyond a session lifespan, you should keep it in an external location (e.g. a database)

5.3 Given that URL-rewriting must be used for session management, identify the design requirement on session-related HTML pages.

Note: Using Cookies:

Note: Http Session Activation Listener

Return to top