To maintain HTTP session in Servlets, the Java API comes with javax.servlet.http.HttpSession interface. The methods of this interface are useful to do with session management. session
The HttpSession object is capable well to track or store the data exchanged by client and Web server in a session. Or more technically to say, the HttpSession object can hold the conversational state of client and server. With the HttpSession object, we can store or persist the data which can be retrieved later. Separate HttpSession objects exist for each client or to say, for one client one separate HttpSession object.
The Servlet container creates a Session ID in the form of a Cookie and sends to client to store temporarily. When the server and client exchange data over the session, they must quote this ID to recognize each other. The cookie contains the ID. This cookie is attached to the response, to know which client is talking. The HTTP session between client and server is identified by Session ID.
All the HTTP session management is done by the Servlet container implicitly. The programmer job is just to tell the container that he requires a session (the simple statement in the code, request.getSession(), tells the container). That is all and all the remaining activities like creating a session object, creating a ID, attaching ID with the session, creating a Cookie object, placing the Cookie in the response etc. are taken care by the container implicitly.
If the client’s browser does not accept the cookies on his browser by disabling the Cookie option, the other way to the Programmer to maintain HTTP session is URL Rewriting. The cookie is added to at the end for every URL exchanged from client and server.
Obtaining HttpSession object
Being an interface, the object of HttpSession cannot be created directly with new keyword. It can be obtained by using getSession() method of HttpServletRequest interface. The getSession() method returns an object of HttpSession (which I call simply session object in the discussion followed). This method is overloaded and let us discuss in detail (particularly this method).
HttpSession session = request.getSession();
In the above statement, getSession() method returns a session object. If the session already exists, it returns the same object to the client and if not available, creates a new session object and returns.
Now the question is how the client got already a HTTP session object? Why he requires again? If the client first time accesses an online shopping site, the server creates automatically a session object and returns. At the same time, by chance, the same client opens another new browser window and request for a session, the server returns the earlier session object. All this is not known to the client.
HttpSession session = request.getSession(true);
In the above case (observe, true as parameter) always the server returns a new session object. When this is needed? If both Husband and Wife open two browser windows on the same system and do some activities on the same web site, then both are given separate sessions.
HttpSession session = request.getSession(false);
It is the same as getSession() without boolean parameter. It returns a session object which already exists else creates a new one.
Let us see other important methods.
- invalidate(): At the end of all session transactions of the client, to close the connection and destroy the session object, the Programmer calls this method or Programmer can call this invalidate() method to close the session abruptly half the way, if needed. When this method is called, no session exists between client and serer.
- String getId(): Returns an ID number, as a string, attached to the session object.
- long getCreationTime(): Returns the session creation time in milliseconds from 1-1-1970. This time will not change over entire session time.
- long getLastAccessedTime(): Returns the latest time of request client send in milliseconds from 1-1-1970.
- int getMaxInactiveInterval(): Returns maximum inactive interval time in seconds as an int value. Inactive interval indicates the period which the client does not do any activity on the site like adding or deleting etc. That is, this much time in seconds, the server does not close the session even if the client does not interact with the site.
- void setMaxInactiveInterval(int seconds): The inactive interval can be set by the Programmer with this method.
- void setAttribute(String str, Object obj): Binds an object to this session, using the name str. If an object of the same name is already bound to the session, the object is replaced. str is treated as the key and value as obj. The setAttribute() method takes always key/value pairs where key is always a string and value can be an object of any Java class. With this method, the Programmer can store session data with the session object.
- Object getAttribute(String str): Returns the object attached to the session on the name str which is set earlier with setAttribute() method.
- void removeAttribute(String str):
Removes the object attached with session object with the name str. If the session does not have an object bound with the specified name, this method does nothing.
Example codes on these methods is shown later.
Note: Do not store large quantity of data with HttpSession object as it decreases performance.