Session tracking in JSP

Similar Messages

• How to do session tracking in JSP

  I want to do session tracking in my JSP pages.Say once after the user logs in,on every page I can get his username for further use.Thank you for your help!
  Richard

  <%
  session.setAttribute("svUserName", request.getParameter("name_of_username_form_field"));
  // from the login page
  %>
  then to retrieve,
  <% String UserName;
  UserName = (String)session.getAttribute("svUserName").toString(); %>
  to display,
  <%= UserName %>

• Session tracking in JSP pages

  I've two pages in my web application which need regular refresh after a particular interval.I'm using
  (session.setMaxInactiveTime) to check the session validation.& HTML's <META> tag to regularly refresh the page after particular interval.
  On these two pages there are links to the different pages for which i'm opening a new window.
  But i'm losing the session after some time & i'm not able to catch the source from where the session is getting invalidated.even when i'm using meta tag of html to refresh the page.
  I'm also using HttpSessionEventListener Interface to know when the session.putValue & session.removeValue
  functions are used.
  I hope the problem is clear to you people.
  an urgent help/suggestion will be appreciated.
  thanks in advance

  Hi,
  it isn't easy see your problem. When you losing your session? When you hava open a link from your page i a new browser window (instance) and return?
  Also check follow: when no validate session exist, a jsp open a new session, else you use <%@ page session="false" %>
  Roland

• How to manage session tracking in jsp

  how to track user account upto when he log out from the application. and tell me how to develop secure page.

  You've posted this to the wrong forum: this forum is about Java Web Start, which is a product of Sun Microsystems.

• Disable non-SSL session tracking?

  Hi, all,
  I wonder if one can disable all session tracking in JSP's whenever SSL is not being used? I would like to turn off all cookie-setting and URL-rewriting and use SSL-session tracking only (if I use session-tracking at all on a given page). I also want to specify this behavior programmatically (inside my JSP's) and not in my server's config files.
  I'm basically concerned that if my user leaves one of my HTTPS pages, they will still retain a non-secure cookie with their session information. This seems to be indeed the default behavior: when I run my tests and transition from an HTTPS page to an HTTP one, the browser does store a cookie. I know I can invalidate the session as the next step, but I'd rather have the cookie not being set altogether to begin with. Imagine the situation where the user leaves my HTTPS page for a totally different (HTTP) website: in this setting I won't get a chance to invalidate the session and delete the cookie.
  Any ideas, therefore, on how to programmatically disable non-SSL session-tracking?
  Thanks,
  Dmitri.

  I don't think you can do this programatically.
  However I also don't think it is a problem.
  Cookies are related to zone names aren't they?
  http://mysite and https://mysite are two different
  zones as far as cookies are concerned. One should
  not be able to see the other.
  It issues a new cookie for the http site you are just
  navigating to. That cookie has nothing to do with
  the secure site you just came from, and shouldn't be
  able to tell them any info about the secure site.
  I think you are worrying about something that isn't
  really there.
  What is your concern? That they pick up a JSESSIONID
  from the cookie and can then pretend to be a
  different user?Yes. A cookie is transmitted and stored unencrypted, I imagine (in any case, it should be more easily crackable than SSL). I wish Sun came up with an extension to the Session API where you would be able to explicitly specify which session-tracking protocols you want used and which ones you don't. At the moment their API abstracts and manages too much detail for you.
  I mean, if my site is supposed to be secure while I'm using SSL, then you'd expect that no information about those secure sessions should leak outside the SSL protocol, wouldn't you say?

• Session Tracking problem

  I am doing session tracking in jsp. what my purpose is i want to stop the user, if the user is already logged in.
  For this, i am creating a Hashtable and entering the user id and session id as key- value pairs into the hashtable when the user is loggin in, if not in the hashtale. If these values are already in the hashtable, i am restricting the user.
  when the user selects the log out option, i am invalidating the session and deleting the values in the hash table. this is working fine.
  What my problem is suppose if the user closes the window, the session will be expired. but,i am not able to delete the values which are in the hashtable.
  and if the user is trying to log in, according to my logic it is allowing the user.
  Thanks
  Anupama

  i hope this would add-up to others' suggestion, albeit, i would recommend a bit change:
  Given:
  a. you're already implementing a session object that has pair value of user id and session id;
  b. you want to restrict a user who previously logged-in but, say he/she accidentally or intentionally closed the browser, thus leaving his session object in the hashtable
  Proposed Solution:
  a. change your pair value from user id-session id to user id-passwd;
  Explanation:
  a. i believe that you maintain a user bean (with session scope) all throughout the web application;
  b. i also believe that at the same time, you maintain other beans of the same scope, but that's out of question;
  c. putting a session id will give you difficulties in validating a common user that previously logged in because each time a user logs-on, you generate a unique session id;
  d. therefore, you cannot test equality of newly logged user and his new session id with that of his previous in the hashtable (if case pertains to abnormal browser termination);
  e. changing a pair to user id and passwd will enable you to really trap and test if the new user has unterminated or invalidated session in the hashtable;
  f. now, if previously logged user (with session still in the hastable) logs for the second time, you may invalidate his old session and give him a new session.

• How to track the same session using both jsp and servlets

  Hello, guys:
  "how to use jsp and servlet to track the same session",
  it seems to me my logoff.jsp never realize the session I established in my servlets.
  Here is how I set my session in my servlets:
  "     HttpSession session = req.getSession(true);
  session.setAttribute("userid",suserid);"
  Here is how I invalidate my session in my logoff.jsp
  " <%@ page language= "java" %>
  <%@ page import="javax.servlet.http.HttpSession" %>
  <%@ page session="false"%>
  Our Session id is : <%= session.getId() %>
  <% session.removeAttribute("userid");
  session.invalidate();
  %>
  Our Session id is : <%= session.getId() %>"
  but when I try to logoff using the logoff.jsp
  I always get following error message.
  "/home/jiao/jsp_webserver/tomcat/work/Standalone/localhost/syllabus/htmls/logoff_jsp.java:50: cannot resolve symbol
  symbol : variable session
  location: class org.apache.jsp.logoff_jsp
  out.print( session.getId() );"
  T.I.A.
  [Edited by: jiveadmin on Jun 18, 2003 10:32 AM]
  [Edited by: jiveadmin on Jun 18, 2003 10:33 AM]

  So,
  <%@ page session="false"%>
  That means the jsp never instantiates the build in session object.
  <%@ page session="true"%>
  means jsp will instantiates a session object if there are no existing ones
  how about I just delete the line,
  does that mean the jsp will find the existing session object for me?
  So I can do something like
  Our Session id is : <%= session.getId() %>
  <% session.removeAttribute("userid");
  session.invalidate();
  %>
  directly.
  T.I.A.

• What role can ejb Session Beans  play  jsp session tracking

   

            I am also looking for a way to use JSP as ejb client with WLS5.1. i would appreciate any help.
            -Girish
            Prasad Peddada <[email protected]> wrote:
            >David,
            >     The beans which are refered in jsp specs are java beans and not EJB.
            >
            >Prasad
            >
            >David Levy wrote:
            >>
            >> Hello,
            >>
            >> We are using Jsp/Servlets which will hold session state and subsequently
            >> call ejb Session Beans for transaction/persistence coordination . We are
            >> not sure if we are using the correct techniques to control object memory.
            >>
            >> Summary of what we have:
            >>
            >> A jsp with the "useBean" directive:
            >> <jsp:useBean id="MySession" class="com....MySession"
            >> scope="session"></jsp:useBean>
            >>
            >> The class MySession holds other classes ( all serializable).
            >> The class MySession is NOT an ejb Session Bean
            >>
            >> Questions:
            >> We are considering making class MySession an ejb Session Bean so (via it's
            >> passivate/activate feature) we can control instances in memory as more web
            >> clients start the session from the jsp page. I.E. all web clients will have
            >> their own HttpSession instance which holds on to an ejb Session Bean object
            >> "MySession"( or a passivated representation of it)
            >>
            >> 1) Is this a sufficient approach or will there be other memory concerns?
            >> I.E. What about all the HttpSession objects out there? Do they need to be
            >> passivated as well?
            >>
            >> 2) If its a good idea to passivate the HttpSessions as well, then what
            >> mechanism should be used ( servlet session persistence)? Also, if we are
            >> passivating the HttpSession (which holds on to the MySession object graph)
            >> , then why bother with the SessionBean for passivation
            >>
            >> 3) Currently, we only have a single instance of a servlet handling all
            >> requests. Will multiple instances buy us anything?
            >>
            >> 4) How does clustering relate to this topic?
            >>
            >> 5) Can we change the "jsp:useBean" directive so MySession is an ejb Session
            >> Bean or do we have to do the "home.create()" within a jsp script?
            >>
            >> thanks,
            >> dave
            

• URL Session Tracking

  Hi,
  i want to make a group of JSP pages in a Web App, but assuming that the browser doesn't accept cookies.
  Is there anyway that i don't have to indicate every link as
  response.encodeUrl("index.jsp")I've heard something about a <url-session-tracking/> tag, but i've tried to put in the web.xml file, but it doesn't work.
  I just want to put Index and the App Server takes care of putting the jsessionid info in front of the url
  Thank you

  Cancelling this question.

• Can we use an overloaded constructor of a Java Bean with Session Tracking

  Hi Friends,
  If any one can solve my query.... It would be helpful.
  Query:
  I have a Java Bean with an overloaded constructor in it. I want to use the overloaded constructor in my JSP.
  1. One way of doing that is to use it directly in the "Scriptlets" (<% %>). But then I am not sure of the way to do session tracking. I think I can use the implicit objects like "session", "request" etc. but not sure of the approach or of the implementation method.
  2. Another way is through the directive <jsp: useBean>. But I cannot call an overloaded constructor with <jsp: useBean>. The only alternative way is to use the directive <jsp: useBean> where I have to write getter and setter methods in the Java Bean and use the <jsp: setProperty> and <jsp: getProperty> standard actions. Then with this approach I cannot use the overloaded constructor.
  Can any one suggest me the best approach to solve this problem ?
  Thanks and Regards,
  Gaive.

  My first reaction is that you can refactor your overloaded constructor into an init(arguments...) method. Instead of overloaded constructor, you can call that init method. This is the ideal solution if possible.
  As to the two choices you listed:
  1. This is OK, I believe. You can use scriplet to define the bean and put it into session scope of the pageContext. I am not sure exactly what you meant by session tracking; whatever you meant, it should be doable using HttpSessionAttributeListener and/or HttpSessionBindingListener.
  2. Agreed. There is no way that <jsp:useBean> can call a constructor that has non-empty arguments.
  Please tell me how it works for you.

• How to use session tracking

  i am making shopping mall project .
  ist page conatins list of product avaiale
  2nd page contains list of manufacturuer avaible
  problem:-
  i want to display on 3rd page the product seleted by user in 1st page
  i used session tracking concept.but problem is the value is coming null in third page
  please tell me how to solve my problem

  If it is like a shopping cart, I suggest you to look for a good shopping cart examples available plenty online.
  But if its just about keeping session variables and using them the following works.
  Test with a simple example. Have three jsp files like a.jsp, b.jsp and c.jsp.
  put the following in a.jsp
  <% session.setAttribute("Mobile","Nokia");%>
  <%=session.getAttribute("Mobile")%>
  <a href="b.jsp">Go to B.jsp</a>Print the value of session variable - <%=session.getAttribute("Mobile")%> in b.jsp and c.jsp
  And in b.jsp have a link to c.jsp and so on. Once you set a session variable, it lives as long as your session doesnt expire.
  Try it. and also look for more session tracking examples online.
  Message was edited by:
  passion_for_java

• Always use URL Rewriting for session tracking?

  All you JSP guru:
  I am working on a JSP project that requires session tracking. I have successfully implements session tracking with both cookies or URL rewriting. I know that with the HttpSession object, it will always try to use cookie first, if that's disabled, then it'll automatically switch to URL rewriting. However, is there a way to force the HttpSession object to ALWAYS use URL rewriting instead of cookies? I have searched for an answer for a long time and haven't been able to found a solution. Is it possible at all? Thank you very much.

  i was going to say that WebSphere always uses URL rewriting if you enable it at all, but someone beat me to it (indirectly) :-)
  however, that seemed to me to be a violation of the spec, which seemed to imply the behaviour you're describing (only use URL rewriting if cookies are not supported on the current client)
  here's a response someone else made on a websphere newsgroup to a statement in that regard:
  I believe you are technically correct. However from my
  experience, I think the spec if flawed in this area since
  there is no reliable way of determining whether the
  client browser supports cookies. The authority on
  cookies (www.cookiecentral.com) says:
  "To properly detect if a cookie is being accepted via
  the server, the cookie needs to be set on one HTTP
  request and read back in another. This cannot be
  accomplished within 1 request."
  This is asking too much of a servlet engine
  implementation. Even if it did submit a request for this
  purpose, the user could refuse the cookie. So
  then technically the browser supports cookies, but the
  servlet engine infers it doesn't. So if the servlet engine
  infers the browser does not support cookies and so
  encodes the URL, it is again out of spec because the
  browser really does support cookies. By doing it
  however encoding is configured makes things simpler,
  robust, consistent and avoids the flaw.
  My opinion.so, mostly i'm just rambling, but if you're using websphere, you should get the behaviour your boss wants. if you're using something else, i suppose there's a chance it'll "violate" the spec in this same, potentially helpful way.
  btw, i remember somebody else complaining that URL rewriting is less secure than cookies, but i kinda think they're about equal. it seems like either could be intercepted by a sniffer and then used to spoof. but i'm no expert in that stuff...

• Looking for an expert on session tracking

  I've got some session code running on RH linux using Apache and Tomcat. About 7% of my users experience a session variable not being present after a <jsp:forward> (or sendRedirect). I was thinking that it was related to cookies and how sessions are tracked, but I am using both the default cookie session tracking as well as URL re-writing; when I turn my browser's cookies off, I start seeing the jsessionid being used and everything still seems to work ok.
  Is there anyone out there who might be willing to help me figure this pup out...why 7% of my users can't be tracked (session.getAttribute() doesn't find something that was placed into the session directly before the redirect/forward)?
  /paul
  [email protected]

  OK, I've done a bunch of debugging. It appears all the folks who experience a "loss of session" have a URL with no parameters...even though I now parameters where passed.
  Also, in some cases, the new URL that is being visited is accessed via either a <jsp:forward> or javascript's window.open.
  Anyone know why some browsers might not pass parameters?

• Session tracking and Internet Explorer

  Hi,
  I am currently maintaining a servlet application, on apache/jserv.
  This application implements a session tracking using a shared static hashtable of session data, associated with session id's.
  This application may open more than one client browser windows.
  With netscape, no problem.
  With Internet Explorer, since the version 6, when the client close at least one window, the session is closed.
  Thus, the application reject any new request from this client, sent by still open windows (session cannot be retrieved in the hashtable).
  Has somebody heard about this problem ?
  Thanks for any answer.

  Thanks.
  In fact, I believe that IE keeps the same session for
  child windows.
  The problem is: when you click on a link which open a
  new window, the new open window share the session with
  its parent window.
  When the new window is closed, the session is also
  closed.
  It appears that this mechanism only exists since the
  version 6 of IE.No. Earlier IE version handle session cookies the same way.

• How to use session variable in JSP function  & How to use both JSP  Servlet

  Hi,
  I am new to JSP and servlets
  Still I am devloping a website in JSP. I am not mixing JSP with servlets, but I do create Java files for bean, logic and database works.
  I try to keep the hard coding part out of JSP.
  I dont how to use both JSP and Servlets in combination.
  Hence If needed I write some functions in JSP.
  but it gives me error
  +<%! public void abc()+
  +{+
  int intUserId = Integer.valueOf((Integer) session.getAttribute("MySession_UserID"));
  +}+
  +%>+
  Saying cannot find symbol session
  1) So can u please tell how can I access session variables within JSP function
  2) And also give me some links/tutorials about useing both JSP and Servlets in combination.
  Thanks
  Venkat

  The application architecture when you use Servlets and JSP in a standard MVC pattern is explained here (under the heading "Integrating Servlets and JSP Pages") and here ...