What is session tracking in servlets?
Hi ,
I'm studying servlets I don't have the clear idea about session tracking and Why and where we need to use it. Can any one say about this.....
Thanks in advance,
Maheshwaran Devaraj
Well Mheshpmr session tracking in servlets is very important...There are a number of problems that arise from the fact that HTTP is a "stateless" protocol. In particular, when you are doing on-line shopping, it is a real annoyance that the Web server can't easily remember previous transactions. This makes applications like shopping carts very problematic: when you add an entry to your cart, how does the server know what's already in your cart? Even if servers did retain contextual information, you'd still have problems with e-commerce. When you move from the page where you specify what you want to buy (hosted on the regular Web server) to the page that takes your credit card number and shipping address (hosted on the secure server that uses SSL), now let me tell you, how does the server remember what you were buying?
Well There are three typical solutions to this problem.
1. Cookies. You can use HTTP cookies to store information about a shopping session, and each subsequent connection can look up the current session and then extract information about that session from some location on the server machine. This is an excellent alternative, and is the most widely used approach. However, even though servlets have a high-level and easy-to-use interface to cookies, there are still a number of relatively tedious details that need to be handled:
* Extracting the cookie that stores the session identifier from the other cookies (there may be many, after all),
* Setting an appropriate expiration time for the cookie (sessions interrupted by 24 hours probably should be reset), and
* Associating information on the server with the session identifier (there may be far too much information to actually store it in the cookie, plus sensitive data like credit card numbers should never go in cookies).
2. URL Rewriting. You can append some extra data on the end of each URL that identifies the session, and the server can associate that session identifier with data it has stored about that session. This is also an excellent solution, and even has the advantage that it works with browsers that don't support cookies or where the user has disabled cookies. However, it has most of the same problems as cookies, namely that the server-side program has a lot of straightforward but tedious processing to do. In addition, you have to be very careful that every URL returned to the user (even via indirect means like Location fields in server redirects) has the extra information appended. And, if the user leaves the session and comes back via a bookmark or link, the session information can be lost.
3. Hidden form fields. HTML forms have an entry that looks like the following: <INPUT TYPE="HIDDEN" NAME="session" VALUE="...">. This means that, when the form is submitted, the specified name and value are included in the GET or POST data. This can be used to store information about the session. However, it has the major disadvantage that it only works if every page is dynamically generated, since the whole point is that each session has a unique identifier.
Servlets provide an outstanding technical solution: the HttpSession API. This is a high-level interface built on top of cookies or URL-rewriting. In fact, on many servers, they use cookies if the browser supports them, but automatically revert to URL-rewriting when cookies are unsupported or explicitly disabled. But the servlet author doesn't need to bother with many of the details, doesn't have to explicitly manipulate cookies or information appended to the URL, and is automatically given a convenient place to store data that is associated with each session.
Similar Messages
-
hi
i am a newbie to j2ee. i am currently learning about session tracking in Servlets. i have written a simple program.
this is what its supposed to do:
FirstNameSessionServlet page
accept the first name of the user
submit
LastNameSessionServlet page
it shows the firstname name
show session id
accept the last name of the user
submit
FirstandLastNameSessionServlet page
show the first name
show the last name
show session id
show session attibutenames
FirstNameSessionServlet page output:
first name: textbox
submit
i enter abc into the textbox and click submit
LastNameSessionServlet
Your First Name is : abc(getParameter method used)
Your First Name is : null(getSession method used)
session id: CDFEBEEC7D599C70359AE52DBD1EAAEE session getLastAccessedTime1180087277281
last name textbox
submit
i enter def into the textbox and click submit
FirstandLastNameSessionServlet output page
your first name is: null
your last name is: def
session id: CDFEBEEC7D599C70359AE52DBD1EAAEE
session tracked success
i can't understand the use of getAttribute(); Can anybody please tell my why getAttribute(); is returning null when i am trying to access the firstname variable through this method. what am i doing wrong? thanx for your help
shankha
here is my code
FirstNameSessionServlet.java
[//FirstNameSessionServlet.java
package myname;
import java.io.*;
import java.util.*;
import javax.servlet.*;
import javax.servlet.http.*;
public class FirstNameSessionServlet extends HttpServlet{
public void doGet(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException
doPost(req, res);
public void doPost(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException
res.setContentType("text/html");
PrintWriter pw=res.getWriter();
pw.println("<html><body>");
pw.println("<form action='/contentnames/uti/LastNameSessionServletpath' method='post'>");
pw.println("<p>First Name: <input type='text' name = 'firstname'></p>");
pw.println("<p><input type='submit' value='Enter'></p>");
String firstname= req.getParameter("firstname");
HttpSession sess = req.getSession(true);
sess.setAttribute("firstname",firstname);
pw.println("</form></body></html>");
pw.close();
LastNameSessionServlet.java
LastNameSessionServlet.java
//LastNameSessionServlet.java
package myname;
import java.io.*;
import java.util.*;
import javax.servlet.*;
import javax.servlet.http.*;
public class LastNameSessionServlet extends HttpServlet {
public void doGet(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException
doPost(req, res);
public void doPost(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException
res.setContentType("text/html");
PrintWriter pw=res.getWriter();
pw.println("<html><body>");
pw.println("<form action='/contentnames/uti/FirstandLastNameSessionServletpath' method='post'>");
String firstname= req.getParameter("firstname");
int attrib=1;
HttpSession sess = req.getSession();
String firstnamesession = (String) sess.getAttribute("firstname");
req.setAttribute("firstname", firstname);
req.setAttribute("firstnamesession",firstnamesession);
//req.setAttribute("firstname",firstname);
pw.println("<p>Your First Name is : "+firstname+"(getParameter method used)</p>");
pw.println("<p>Your First Name is : "+firstnamesession+"(getSession method used)</p><br><br><br>");
pw.println("session id: "+sess.getId());
pw.println("session getLastAccessedTime"+sess.getLastAccessedTime());
Enumeration names = sess.getAttributeNames();
while (names.hasMoreElements()) {
String name = (String) names.nextElement();
Object value = sess.getAttribute(name);
pw.println("<p>name=" + name + " value=" + value+"</p><br>");
pw.println("<p>Last Name: <input type='text' name='lastname'></p>");
pw.println("<p><input type='submit' value='Enter'></p>");
// HttpSession sesslast = req.getSession();
// sesslast.setAttribute("lastname","lastname");
pw.println("</form></body></html>");
pw.close();
FirstandLastNameSessionServlet.java
//FirstandLastNameSessionServlet.java
package myname;
import java.io.*;
import java.util.*;
import javax.servlet.*;
import javax.servlet.http.*;
public class FirstandLastNameSessionServlet extends HttpServlet {
public void doGet(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException
doPost(req, res);
public void doPost(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException
res.setContentType("text/html");
PrintWriter pw=res.getWriter();
pw.println("<html><body>");
HttpSession sess = req.getSession(true);
String firstname = (String)sess.getAttribute("firstname");
//String lastname = (String) sess.getAttribute("lastname");
String lastname = req.getParameter("lastname");
pw.println("<p>your first name is: "+firstname+"<br>");
pw.println("your last name is: "+lastname+"</p><br><br><br>");
Enumeration names = sess.getAttributeNames();
while (names.hasMoreElements()) {
String name = (String) names.nextElement();
Object value = sess.getAttribute(name);
pw.println("<p>name=" + name + " value=" + value);
pw.println("session id: "+ sess.getId());
pw.println("<h1>session tracked success</h1>");
pw.println("</body></html>");
pw.close();
}Your understanding of the flow seems to be a little flawed.
When you first open the FirstNameSessionServlet, you get the textbox asking for the firstname:
>
FirstNameSessionServlet.java
[public void doPost(HttpServletRequest req,
HttpServletResponse res) throws IOException,
ServletException
res.setContentType("text/html");
PrintWriter pw=res.getWriter();
pw.println("<html><body>");
pw.println("<form
m
action='/contentnames/uti/LastNameSessionServletpath'
method='post'>");
pw.println("<p>First Name: <input type='text'
' name = 'firstname'></p>");
pw.println("<p><input type='submit'
' value='Enter'></p>");//The running of the code till this point generates the HTML page, but your servlet is not done yet! Think of it as a function that till now, has printed some output ( the output being HTML code and the destination being the broswer ); but the function has not finished executing yet:
String firstname= req.getParameter("firstname");
HttpSession sess = req.getSession(true);
sess.setAttribute("firstname",firstname);
// Now, the immediately preceding part of your code creates a string and tries to put the value of the request parameter firstname into it and then put that string into the session object. But guess what? Your application has only just started running, this is your first page and there is no parameter in the request object with this name! This part of the code should come in the next servlet.
pw.println("</form></body></html>");
pw.close();
LastNameSessionServlet.java
String firstname=
= req.getParameter("firstname");// This time, req.getParameter() will work since you submitted the last form which had a textbox with this name, you'll get the contents of that box.
int attrib=1;
HttpSession sess = req.getSession();
String firstnamesession = (String)
) sess.getAttribute("firstname");//In the last servlet, you put in this parameter, but the value was null for reasons explained above.
HttpSession sesslast = req.getSession();
sesslast.setAttribute("lastname","lastname");
//Again, you will get null for lastname if you tried to access it from the request object since you only just created the field with that name and you would be trying to access it within the same servlet.
pw.println("</form></body></html>");
pw.close();
FirstandLastNameSessionServlet.java
HttpSession sess = req.getSession(true);
String firstname =
= (String)sess.getAttribute("firstname");//this will still not work since you never put a correct value in the session object ( should have done after req.getParameter("firstname") in the second servlet ) -
What role can ejb Session Beans play jsp session tracking
I am also looking for a way to use JSP as ejb client with WLS5.1. i would appreciate any help.
-Girish
Prasad Peddada <[email protected]> wrote:
>David,
> The beans which are refered in jsp specs are java beans and not EJB.
>
>Prasad
>
>David Levy wrote:
>>
>> Hello,
>>
>> We are using Jsp/Servlets which will hold session state and subsequently
>> call ejb Session Beans for transaction/persistence coordination . We are
>> not sure if we are using the correct techniques to control object memory.
>>
>> Summary of what we have:
>>
>> A jsp with the "useBean" directive:
>> <jsp:useBean id="MySession" class="com....MySession"
>> scope="session"></jsp:useBean>
>>
>> The class MySession holds other classes ( all serializable).
>> The class MySession is NOT an ejb Session Bean
>>
>> Questions:
>> We are considering making class MySession an ejb Session Bean so (via it's
>> passivate/activate feature) we can control instances in memory as more web
>> clients start the session from the jsp page. I.E. all web clients will have
>> their own HttpSession instance which holds on to an ejb Session Bean object
>> "MySession"( or a passivated representation of it)
>>
>> 1) Is this a sufficient approach or will there be other memory concerns?
>> I.E. What about all the HttpSession objects out there? Do they need to be
>> passivated as well?
>>
>> 2) If its a good idea to passivate the HttpSessions as well, then what
>> mechanism should be used ( servlet session persistence)? Also, if we are
>> passivating the HttpSession (which holds on to the MySession object graph)
>> , then why bother with the SessionBean for passivation
>>
>> 3) Currently, we only have a single instance of a servlet handling all
>> requests. Will multiple instances buy us anything?
>>
>> 4) How does clustering relate to this topic?
>>
>> 5) Can we change the "jsp:useBean" directive so MySession is an ejb Session
>> Bean or do we have to do the "home.create()" within a jsp script?
>>
>> thanks,
>> dave
-
Does Tomcat 4.0 support session tracking?
I have use Tomcat 4.0 to run my servlet code with session tracking, however it has no compile error but have error when the servlet is run with the session code..
Anyone know what the probles?The following are the error message:
type Exception report
message Internal Server Error
description The server encountered an internal error (Internal Server Error) that prevented it from fulfilling this request.
exception
javax.servlet.ServletException: Servlet execution threw an exception
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
at filters.ExampleFilter.doFilter(ExampleFilter.java:149)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:213)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:243)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:190)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:475)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2343)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:170)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:468)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.java:1012)
at org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java:1107)
at java.lang.Thread.run(Thread.java:484)
root cause
java.lang.NoSuchMethodError
at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1185)
at org.apache.catalina.session.StandardSessionFacade.setAttribute(StandardSessionFacade.java:191)
at org.apache.catalina.session.StandardSessionFacade.setAttribute(StandardSessionFacade.java:191)
at SessionExample.doGet(SessionExample.java:66)
at SessionExample.doPost(SessionExample.java:121)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
at filters.ExampleFilter.doFilter(ExampleFilter.java:149)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:213)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:243)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:190)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:475)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2343)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:170)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:468)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.java:1012)
at org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java:1107)
at java.lang.Thread.run(Thread.java:484) -
Does Conection Pooling affect my session tracking?
hi
in today's world of growing internet users it's very difficult to handle the number of requests that come at a time.
Considering an example of a website such as a commercial one and i am in a scenario where i track the session of a user
i use a servlet for this purpose..and let's assume that a javawebserver is the server
after a few months my site hits the peak and i am not able to handle so many requests at a time i have a one more javawebserver apart from the existing one and i distribute the requests saying the first 10 to server 1 and the next 10 on server 2
A visitor enters and i start keeping track of the user ..what will happen if the user when made a request
first was directed to the server1 and the same user when makes a second request is on server 2
then will session tracking of a particular user still be possible
In anticipation of a favourable response
RegardsThere are a number of ways that you can handle this. For example, ATG's Dynamo application server generates it's own session id and, as part of this session id, it uses a code that specifies which server the session lives on. Then, the load balancing software (which is obviously custom written to look for this code) properly redirects the request "behind the scenes" to the server that this session originated from.
There are other ways to handle this, but the above is the most straightforward IMHO. -
Session tracking and Internet Explorer
Hi,
I am currently maintaining a servlet application, on apache/jserv.
This application implements a session tracking using a shared static hashtable of session data, associated with session id's.
This application may open more than one client browser windows.
With netscape, no problem.
With Internet Explorer, since the version 6, when the client close at least one window, the session is closed.
Thus, the application reject any new request from this client, sent by still open windows (session cannot be retrieved in the hashtable).
Has somebody heard about this problem ?
Thanks for any answer.Thanks.
In fact, I believe that IE keeps the same session for
child windows.
The problem is: when you click on a link which open a
new window, the new open window share the session with
its parent window.
When the new window is closed, the session is also
closed.
It appears that this mechanism only exists since the
version 6 of IE.No. Earlier IE version handle session cookies the same way. -
Can we use an overloaded constructor of a Java Bean with Session Tracking
Hi Friends,
If any one can solve my query.... It would be helpful.
Query:
I have a Java Bean with an overloaded constructor in it. I want to use the overloaded constructor in my JSP.
1. One way of doing that is to use it directly in the "Scriptlets" (<% %>). But then I am not sure of the way to do session tracking. I think I can use the implicit objects like "session", "request" etc. but not sure of the approach or of the implementation method.
2. Another way is through the directive <jsp: useBean>. But I cannot call an overloaded constructor with <jsp: useBean>. The only alternative way is to use the directive <jsp: useBean> where I have to write getter and setter methods in the Java Bean and use the <jsp: setProperty> and <jsp: getProperty> standard actions. Then with this approach I cannot use the overloaded constructor.
Can any one suggest me the best approach to solve this problem ?
Thanks and Regards,
Gaive.My first reaction is that you can refactor your overloaded constructor into an init(arguments...) method. Instead of overloaded constructor, you can call that init method. This is the ideal solution if possible.
As to the two choices you listed:
1. This is OK, I believe. You can use scriplet to define the bean and put it into session scope of the pageContext. I am not sure exactly what you meant by session tracking; whatever you meant, it should be doable using HttpSessionAttributeListener and/or HttpSessionBindingListener.
2. Agreed. There is no way that <jsp:useBean> can call a constructor that has non-empty arguments.
Please tell me how it works for you. -
Always use URL Rewriting for session tracking?
All you JSP guru:
I am working on a JSP project that requires session tracking. I have successfully implements session tracking with both cookies or URL rewriting. I know that with the HttpSession object, it will always try to use cookie first, if that's disabled, then it'll automatically switch to URL rewriting. However, is there a way to force the HttpSession object to ALWAYS use URL rewriting instead of cookies? I have searched for an answer for a long time and haven't been able to found a solution. Is it possible at all? Thank you very much.i was going to say that WebSphere always uses URL rewriting if you enable it at all, but someone beat me to it (indirectly) :-)
however, that seemed to me to be a violation of the spec, which seemed to imply the behaviour you're describing (only use URL rewriting if cookies are not supported on the current client)
here's a response someone else made on a websphere newsgroup to a statement in that regard:
I believe you are technically correct. However from my
experience, I think the spec if flawed in this area since
there is no reliable way of determining whether the
client browser supports cookies. The authority on
cookies (www.cookiecentral.com) says:
"To properly detect if a cookie is being accepted via
the server, the cookie needs to be set on one HTTP
request and read back in another. This cannot be
accomplished within 1 request."
This is asking too much of a servlet engine
implementation. Even if it did submit a request for this
purpose, the user could refuse the cookie. So
then technically the browser supports cookies, but the
servlet engine infers it doesn't. So if the servlet engine
infers the browser does not support cookies and so
encodes the URL, it is again out of spec because the
browser really does support cookies. By doing it
however encoding is configured makes things simpler,
robust, consistent and avoids the flaw.
My opinion.so, mostly i'm just rambling, but if you're using websphere, you should get the behaviour your boss wants. if you're using something else, i suppose there's a chance it'll "violate" the spec in this same, potentially helpful way.
btw, i remember somebody else complaining that URL rewriting is less secure than cookies, but i kinda think they're about equal. it seems like either could be intercepted by a sniffer and then used to spoof. but i'm no expert in that stuff... -
Disable non-SSL session tracking?
Hi, all,
I wonder if one can disable all session tracking in JSP's whenever SSL is not being used? I would like to turn off all cookie-setting and URL-rewriting and use SSL-session tracking only (if I use session-tracking at all on a given page). I also want to specify this behavior programmatically (inside my JSP's) and not in my server's config files.
I'm basically concerned that if my user leaves one of my HTTPS pages, they will still retain a non-secure cookie with their session information. This seems to be indeed the default behavior: when I run my tests and transition from an HTTPS page to an HTTP one, the browser does store a cookie. I know I can invalidate the session as the next step, but I'd rather have the cookie not being set altogether to begin with. Imagine the situation where the user leaves my HTTPS page for a totally different (HTTP) website: in this setting I won't get a chance to invalidate the session and delete the cookie.
Any ideas, therefore, on how to programmatically disable non-SSL session-tracking?
Thanks,
Dmitri.I don't think you can do this programatically.
However I also don't think it is a problem.
Cookies are related to zone names aren't they?
http://mysite and https://mysite are two different
zones as far as cookies are concerned. One should
not be able to see the other.
It issues a new cookie for the http site you are just
navigating to. That cookie has nothing to do with
the secure site you just came from, and shouldn't be
able to tell them any info about the secure site.
I think you are worrying about something that isn't
really there.
What is your concern? That they pick up a JSESSIONID
from the cookie and can then pretend to be a
different user?Yes. A cookie is transmitted and stored unencrypted, I imagine (in any case, it should be more easily crackable than SSL). I wish Sun came up with an extension to the Session API where you would be able to explicitly specify which session-tracking protocols you want used and which ones you don't. At the moment their API abstracts and manages too much detail for you.
I mean, if my site is supposed to be secure while I'm using SSL, then you'd expect that no information about those secure sessions should leak outside the SSL protocol, wouldn't you say? -
Maintain session when calling servlet from form in a JSP
I have the following set up:
index.jsp calls login servlet from the action tag in a form.
Login servlet handles the login, stores the user info and db connection in the session and uses forward(req,res) to call another jsp.
That jsp has a form where user enters search info and in that form's action tag there is a search servlet. In the search servlet I am unable to access the session.
Is there any way to pass the session to the servlet from that jsp using a form/action?I've read elsewhere that if you go from a jsp to a servlet that the >request object is cleared of any attributes from the previous request.which is correct. But arent we speaking about session object here? A request object is valid for a request - ie the phase from where the server receieves a hit for a resource upto the point it sends the output for that request.
A session spans multiple requests.
it doesn't retrieve the session info and gives me a null pointer >exception when I try to use the connection object stored in the session.Bad bad bad . Why do you store Connection objects in session? Create them when necessary or use a connection pool. Do you for example clean up the connections when the session expires. What if its a 30 minute session and the user hits every say 15 minutes with a request. Why do you need to hold on to the Connection in the intervening interval when the user's session is inactive?
gives me a null pointer exception when I try to use the connection object stored in the session.which means that the Connection object is null - not the session object.
That last line is where I get the null pointer exception. And that is
Statement stmt = con.createStatement();?
Same answer as above.
If the session object was null,
userSession.getAttribute("connection");would have thrown a NPE.
ram. -
I am doing session tracking in jsp. what my purpose is i want to stop the user, if the user is already logged in.
For this, i am creating a Hashtable and entering the user id and session id as key- value pairs into the hashtable when the user is loggin in, if not in the hashtale. If these values are already in the hashtable, i am restricting the user.
when the user selects the log out option, i am invalidating the session and deleting the values in the hash table. this is working fine.
What my problem is suppose if the user closes the window, the session will be expired. but,i am not able to delete the values which are in the hashtable.
and if the user is trying to log in, according to my logic it is allowing the user.
Thanks
Anupamai hope this would add-up to others' suggestion, albeit, i would recommend a bit change:
Given:
a. you're already implementing a session object that has pair value of user id and session id;
b. you want to restrict a user who previously logged-in but, say he/she accidentally or intentionally closed the browser, thus leaving his session object in the hashtable
Proposed Solution:
a. change your pair value from user id-session id to user id-passwd;
Explanation:
a. i believe that you maintain a user bean (with session scope) all throughout the web application;
b. i also believe that at the same time, you maintain other beans of the same scope, but that's out of question;
c. putting a session id will give you difficulties in validating a common user that previously logged in because each time a user logs-on, you generate a unique session id;
d. therefore, you cannot test equality of newly logged user and his new session id with that of his previous in the hashtable (if case pertains to abnormal browser termination);
e. changing a pair to user id and passwd will enable you to really trap and test if the new user has unterminated or invalidated session in the hashtable;
f. now, if previously logged user (with session still in the hastable) logs for the second time, you may invalidate his old session and give him a new session. -
Maintaining Sessions through Multiple Servlets and Contexts
Hi,
I have a webapplication that works like this:
* User connects to a login servlet on HTTPS
* Users information is authenticated on HTTPS
* An object is stored in the session for other servlets to validate the users access
* Authenticated users are forwarded to an HTTP page where the session is used to make sure they were granted access
My problem is this....Since I create the session in an HTTPS context, when I am in the HTTP context, I am unable to access the session and constantly get NULL. Is there any way that I can access the session from an HTTP context?What you can do is, just login using HTTPS and switch over to HTTP
and then store data in session.That is true, but what I want in the session is basically a flag on whether or not the user was granted access. I would much rather set all that up on the secure line, and then just access it from the unsecure ones...
For example, you are creating session using the
http://testdev:port/index.jsp page.
If access the same page(with hostname)
http://10.300.20.18:8080/index.jsp, you can't get the session even
though both are same web server and same web application. Because the
browser treats it different sessionI think if you use my above solution with the explicit passing of the jsessionid, you can move from one domain to another and still maintain session. Not positive on that though... -
Can you tell me How to loading sessions.xml in servlet
Can you tell me How to loading sessions.xml in servlet
Getting a session in a servlet is no different than in any other environment except that you need to be careful which classloader you pass to the SessionManager and correctly configure what to do if your application is reloaded. If you use the oracle.toplink.util.SessionFactory introduced in 10.1.3.1 you don't have to worry about these details--it uses the correct settings. The SessionFactory greatly simplifies the code required to get a session or unit of work. It's well documented in the SessionFactory javadoc.
If you do use SessionFactory beware there is a bug when running in a JTA environment and there's no transaction started. Doug posted a work around in his blog[1].
--Shaun
[1] http://www.jroller.com/page/djclarke/20060412 -
Oracle Forms Session Tracking mechanism
Hi,
In this doc http://www.oracle.com/technology/products/forms/pdf/10g/troubleshooting_fls.pdf we can read the following:
The JsessionID, which uniquely identifies a Forms session. The Forms Listener Servlet uses two session tracking mechanisms:
- Cookies, where the Servlet container sends a cookie to the client.
The client returns the cookie to the server upon each HTTP
request, thereby associating the session with the cookie.
- URL rewriting, where the Servlet container appends a session ID
to the URL path, for example:
http://host[:port]/forms90/l90servlet;jsessionid=a23445bcde89
Does this means that forms uses one of those, or uses both mechanisms simultaneous?
anyone?
Regards
Ricardo
Edited by: user12015527 on Mar 10, 2010 2:39 PMduplicate post: Oracle forms session crashes.
-
Passing Session info between servlets
We are running WebLogic 5.1, sp 4 and Apache 1.3 on Solaris 2.6 and we are
successfully proxying requests to the server. But we are unable to pass
session information between servlets. We are NOT using URL encoding. We are
instead using cookies. We believe our configuration is correct because the
BEA example session servlet works. Does anyone have any recommendations or
suggestions?
Thank you,
Jorge
Jorge A. Martin
Systems Analyst
The Kinetic Group
1950 Stemmons Freeway, Suite 3040
Dallas, Texas 75207
This is a basic misunderstanding of how Java Works:
String name +r = request.getParameter(name +r);1) You can't use a + on the left part of an assignment operation - it must be a plain variable reference. This isn't like JavaScript where you have an eval(...) capability.
2) Your Strings are being defined inside the For Loop, which means they will leave scope once the loop ends and you won't be able to refer to them anymore.
3) Is there already a String value named 'name' which you are using in getParameters(name+r)? You should probably use getParameter("name"+r) instead.
What you want to do is either put the values in an array so they are easy to access:
String name[] = new String[value1];Then loop through the parameters to assign values:
for(int r = 0; r< value1; r++) { //Start at 0 to value1-1 because arrays are 0 based.
String nameParam = "name"+ (r+1);
name[r] = request.getParameter(nameParam);Now I can access the names in order:
name1 via name[0]
name2 via name[1]
name3 via name[2]
etc...Before going any further I would stop working on Servlets and go back to some good Basic Java Tutorials and books until you get a better grasp of how the language works.
Maybe you are looking for
-
Connect to wireless network but can't get internet
Hi First time on any sort of technical forum so please bear with me :o) I've just received an iPad for Christmas and I CAN get connected to my wireless home network (AOL / Netgear 834g) *but I CAN'T use the Internet*. I hate to say I've been at it fo
-
TV as a display : lost in adapters/plugs to use
I just got a 17 "macbook pro ( early 2011 version). I would like to be able to use my TV as a bigger display for watching DVDs but am lost at what adapters to use. ( firewire? thunderbolt... ?). I did not find any clear info anywhere. My TV is an ol
-
we want to CO planning for cost center/ activity type labor,but in kP06, it asks for cost element. how can we do planning without cost element also second error says:Cost center C231000 has none of the activity types used here Message no. K8102 Activ
-
Plugin for Director; Work Around
Hello, Is there any Macromedia Director Plugin for LabView available?? Are there any programs, work arounds out to use LabView for educational purposes? What I mean is letting run the LabView program in the background (only calculating values) and to
-
PDF to Excel. Adobe reader XI.
Need to convert PDF to Excel. Have Adobe reader XI. Under tools do not get converting text option. WHat do I need to do?