Tuesday, August 17, 2010

Session Tracking in Java

Maintaining client sessions is the ability for servers to associate multiple stateless http requests within a single session context. Often, implementing session seems to be magic, but an actual mechanism exists by which this is implemented.

The main requirement for maintaing client sessions is the server's ability to associate one request with a previous request. In order to do this, a session id must be generated and passed back from the server to client. The client will then pass this session id in subsequent requests to associate these with the previous request. The main difference between the various methods of maintaing a session is the form of the session id, such as the way the session id is generated or how it is stored on the client and/or on the server.

Java web servers provide a default implementation using Http Session. However, there are several other ways. The server

1) Using HttpSession

Generation: web server
Client Location: cookies or url
Server Location: web server

Java web servers by default can maintain http sessions by generating at request a session id, or the JSESSION_ID. Once the session has been established, the Java web developer can save any type of information in the new session when processing the request. The web server is responsible for storing this session and any saved information without any additional coding. Once the request has been processed, a JSESSION ID is passed back to the browser as a cookie. The browser saves the cookie. On subsequent requests to the same web server, the cookie is passed back to the server, and the web server picks up the session cookie and retrieves the JSESSION ID. Once the session id has been identified, the session associated with the id is set on the request.

2) Encrypt and Decrypt

Generation: servlet
Client Location: cookies
Server Location: N/A

When the client makes a request with a particular user-specific id, the server can generate the session id from this user id. The user id

3) Memcached

Generation: servlet
Client Location: cookies
Server Location: N/A