For easy understanding, the notes is given in Question/Answer format.
1. What is a Session in Servlets?
The interactive time between client and server on a single connection is known as a session. Or
The period of time between connection establishment and connection closing between client and server is known as a session. Or
Session begins when the client logs in to a Web site and ends when the user logs out. Or
Session starts when the connection is established at both ends (client and server) and terminates when the connection (communication) is ended (closed by server).
A connection is well maintained by the Servlet container while the client and server are conversing back and forth in a session (with some duration).
2. What is Session Tracking or Session Management?
A session includes a lot of interactions, where data will be exchanged, between client and server, ofcourse on a single connection. Once the server accepts the client connection, the client and server talk together and keep with them lot of data exchanged that includes commits, questions, answers and alike. Keeping the data of session intact (preserve) so that the data can be reused later is known as session tracking or session management.
A session can temporarily store information related to the activities of the user while logged in. A servlet should be capable to store temporary information pertaining to the activities of the user in a session.
3. Is session tracking a big problem as it is discussed a lot here?
Yes, it is a big headache, because the HTTP protocol being used is connectionless and stateless.
4. Why we require session tracking? Can you give one example?
Session tracking is required many a times in Web communication, especially in e-commerce or online shopping (shopping cart). In online shopping, a client logs into a e-commerce web site and clicks many times the items he would like to buy. In between he may ask the server the details of a product, its price and any schemes available etc. The server duly responses and make a note of the items the buyer orders. Preserving the item names and quantity all over the session is a must to make a final bill before the client transfers money online. All this requires session tracking. The best example is this one of online shopping and shopping cart.
5. Then, how to maintain session with HTTP protocol nature of stateless and connectionless?
There exist four styles or methodologies to maintain session tracking. They are
- Using Hidden fields
- Using URL Rewriting
- Using HttpSession interface
- Using Cookies
The first two styles are almost discarded by the programming world as they increase lot of network traffic and processing load of each request on the Web server.
6. What is Session variable or Session ID?
To think practically, an online shopping site is logged in by many clients at the same time. Each client will have his own data of items. Lot of hits and clicks come over the site. To recognize the client (after logging successfully) each time when he clicks (requests) something, the server maintains an ID number known as session variable or Session ID. This number is issued by the server when the user first time logs in. This number is used internally (client is not aware of) between client and server in their conversation. The ID number is destroyed when the client logs out (to talk technically, when the connection is destroyed). This ID in servlets (which you can find) is of big length (more than 30 characters) comprising of letters (alphabets) of lowercase and uppercase and numerical.
This Session ID or Variable is mostly managed by the server as a cookie (to work with, the cookies option should be enabled on the client’s browser, else, the other way is URL Rewriting). This ID is added to the request header of the client each time when he converses and the server knows well from which client the request is coming and tracks the data on this Session variable.
7. Is it possible to the server to give the same ID for two clients because ID is just a number?
Theoretically speaking it is possible. But the chances may not be one in one lakh due to the length of ID. ID is case-sensitive. Once you see a typical ID (which you can know with getId() method), you accepts this. Following points will clear lot of your doubts over sessions.
- It is not required to have multiple logins and logouts to maintain sessions. One login and logout is enough.
- Each client is issued a single unique ID by the Web server.
- Sessions or session IDs are not sharable and each client will have private session.
- Session ID cookies are not stored permanently on the client browser.
- At any time, the server can close the connection by calling invalidate() method of HttpSession interface.
- Sessions are implicitly closed by the server when the client does not use (interact) the session (or server) for a long time. This long time can be configured either programmatically or declared in web.xml, the deployment descriptor.
- The name of the cookie issued by the Web server in Servlets/JSP is known as JSESSIONID. It is created implicitly when HttpSession object is created when getSession() method is called. Each JSESSIONID comes with a unique ID (infact, ID is a string as it contains letters also). The server knows the client on this JSESSIONID only and session management is done on this JSESSIONID.
8. How the Web server keeps a track of who is who?
This is already explained earlier. Server tracks with JSESSIONID and ID is entirely managed by server and the client does not have knowledge of ID (completely innocent) throughout the session. Let us see some more details of Session ID creation.
- The client logs in the site.
- The Servlet engine generates a cookie with unique JSESSIONID number on the client browser.
- Each time, the client hits the site, ID is sent back.
The Servlet engine uses this JSESSIONID to know who is who.
Every user buys a cartful of items and all items are identified by JSESSIONID.
- The JSESSIONID is destroyed when the user logs out.