Maintain Session using User Authorization

We can maintain session using User Authorization, the most common method.
Maintain Session using User Authorization is the second method in the series of post.

User Authorization is the most common way to maintain session between client and server.
A user has to sign-in into the application using their credentials. Once the user submits the form by filling the correct credentials a session gets created on the server that will be used during the entire user session.

Use these credentials to make this form work:
Password: session

This page contains the login form.

If the user successfully logged in then, this welcome page will get displayed. This welcome page will display the hello message and email id of the user.






In the above screenshot, you can see the login form. We haven’t logged in yet, the session present is the session that is by default assign by the Apache tomcat server to the browser.

Now let’s login with the credentials.


Using this method, We have set session in apache tomcat server not in cookies,

Below is the code snippet to display the session value on the webpage

Playing with Session in Java

In this port of Playing with Session in Java, we will explore some of the concepts of session and try to understand what session is:

What is session?
Session is a concept that is use to maintain connection between client and server.
In easy words its client and server interacts using session. Server recognizes client by validating clients session information.

Why session is needed?
As HTTP is a stateless protocol so a method/way was needed to maintain session or to know recognize the client.

Sessions do not last forever. A session either expires automatically, after a set time of inactivity (for the Java Web Server the default is 30 minutes), or manually by explicitly invalidating using a servlet. When a session expires (or is invalidated), the HttpSession object and the data values it contains are removed from the system.

How to maintain session?
1. Cookies
2. User Authorization
3. URL rewriting
4. Hidden Fields
5. Session tracking API
We will discuss of these methods with example, but before that we would like to clear some basic precision’s about session

* You don’t need login/logout mechanisms in order to have sessions.

* In java servlets, HTTP sessions are tracked using two mechanisms, HTTP cookie (the most commonly used) or URL rewriting (to support browser without cookies or with disabled cookies). Using only cookies is simple, you don’t have to do anything special. For URL re-writing, you need to modify all URLs pointing back to your servlets/filters.

* Each time you call request.getSession(true), the HttpRequest object will be inspected in order to find a session ID encoded either in a cookie OR/AND in the URL path parameter (what’s following a semi-colon). If the session ID cannot be found, a new session will be created by the servlet container (i.e. the server).

* The session ID is added to the response as a Cookie. If you want to support URL re-writing also, the links in your HTML documents should be modified using the response.encodeURL() method. Calling request.getSession(false) or simply request.getSession() will return null in the event the session ID is not found or the session ID refers to an invalid session.

* There is a single HTTP session by visit, as Java session cookies are not stored permanently in the browser. So sessions object are not shared between clients. Each user has his own private session.
Sessions are destroyed automatically if not used for a given time. The time-out value can be configured in the web.xml file.

* A given session can be explicitly invalidated using the invalidate() method.
When people are talking about JSESSIONID, they are referring to the standard name of the HTTP cookie used to do session-tracking in Java.


Now lets see the methods in which session can be maintained:
1. Cookies: Maintaining session using cookies is the simplest method, you don’t have to do anything special. In java when you opens a website or webpage a session is assign by the browser and these cookies has some expiration time.

See the below screen shot. Here a simple jsp page is displayed and Apache tomcat itself gives it a session id.

session cookie

You can also create set your own cookie if you want to save anything in browser’s cookie, just like shopping carts do to save the products visited by the user. This helps to keep track the products visited by the user even the user not is logged in.

View Cookies Example

2. User Authorization
Mostly used method to create session between client and server. In this method user has to fill the credentials to get authorization to use the application.

View User Authorization Example

3. URL rewriting: In this method you need to modify all URLs pointing back to your servlets/filters.

View URL Rewriting Example

4. Hidden Fields
This method is use when there is a need to send some values with the form on submit.
The value set in the hidden field can not be seen on the GUI but present as hidden values.
Syntax of representing hidden value in the form:

View Hidden Field Example

5. Session tracking API

Download Project
NOTE: This project is on Google drive so, to download this project you first need to add this to your Google drive then you will get the option to download it.