Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Best option for Session management in Java

Best way managing session in Java. I heard that cookies are not reliable option for this as they gets stored into browser and can be accessed later on? Is this correct? If possible please come up with the answers with the coding example.

Which is the best among:

  • URL Rewriting: Server will add an additional parameter at the end of URL link
  • Hidden parameter in Form: server will add an additional parameter at every form in HTML
  • cookie: Server will ask browser to maintain a cookie.
like image 957
Sachin Chourasiya Avatar asked Nov 09 '09 11:11

Sachin Chourasiya


People also ask

How do you manage session in Java?

Servlet API provides Session management through HttpSession interface. We can get session from HttpServletRequest object using following methods. HttpSession allows us to set objects as attributes that can be retrieved in future requests. HttpSession getSession() - This method always returns a HttpSession object.

Which method is used in session management?

An efficient session management technique is required to keep track of multiple session ID. The different techniques used by web applications for identifying individual sessions are cookies, URL rewriting, SSL and hidden form fields.

How many types of session management are there?

There are two types of session management mechanisms for web applications, permissive and strict, related to session fixation vulnerabilities.


2 Answers

The session management (client identification, cookie handling, saving session scoped data and so on) is basically already done by the appserver itself. You don't need to worry about it at all. You can just set/get Java objects in the session by HttpSession#setAttribute() and #getAttribute(). Only thing what you really need to take care of is the URL rewriting for the case that the client doesn't support cookies. It will then append a jsessionid identifier to the URL. In the JSP you can use the JSTL's c:url for this. In the Servlet you can use HttpServletResponse#encodeURL() for this. This way the server can identify the client by reading the new request URL.

Your new question shall probably be "But how are cookies related to this? How does the server do it all?". Well, the answer is this: if the server receives a request from a client and the server side code (your code) is trying to get the HttpSession by HttpServletRequest#getSession() while there's no one created yet (first request in a fresh session), the server will create a new one itself. The server will generate a long, unique and hard-to-guess ID (the one which you can get by HttpSession#getId()) and set this ID as a value of the cookie with the name jsessionid. Under the hood the server uses HttpServletResponse#addCookie() for this. Finally the server will store all sessions in some kind of Map with the session ID as key and the HttpSession as value.

According to the HTTP cookie spec the client is required to send the same cookies back in the headers of the subsequent request. Under the hood the server will search for the jsessionid cookie by HttpServletRequest#getCookies() and determine its value. This way the server is able to obtain the associated HttpSession and give it back by every call on HttpServletRequest#getSession().

To the point: the only thing which is stored in the client side is the session ID (in flavor of a cookie) and the HttpSession object (including all of its attributes) is stored in the server side (in Java's memory). You don't need to worry about session management youself and you also don't need to worry about the security.

See also:

  • Authenticating the username, password by using filters in Java (contacting with database)
  • How to redirect to Login page when Session is expired in Java web application?
  • How to implement "Stay Logged In" when user login in to the web application
like image 65
BalusC Avatar answered Sep 25 '22 03:09

BalusC


All Java web frameworks support cookies or URL-encoded session IDs. They will chose the correct approach automatically, so there is nothing you need to do. Just request the session object from your container and it will handle the details.

[EDIT] There are two options: Cookies and a special URL. There are problems with both approaches. For example, if you encode the session in an URL, people can try to pass the session on (by putting the URL into a mail, for example). If you want to understand this, read a couple of articles about security and build app servers. Otherwise: Your Java app server will do the right thing for you. Don't think about it.

like image 32
Aaron Digulla Avatar answered Sep 24 '22 03:09

Aaron Digulla