What is session in Java?

user405398 picture user405398 · Sep 8, 2010 · Viewed 86.5k times · Source

So far I understand Httpsession concepts in Java.

 HttpSession ses = req.getSession(true);

will create a session object, according to the request.

setAttribute("String", object);

will, bind the 'String', and value with the Session object.

getAttribute("String");

will return an object associated with the string, specified.

What I am not able to understand is: I am creating a session object like HttpSession ses = req.getSession(true); and setting a name for it by calling setAttribute("String", object);. Here, This code resides inside the server. For every person, when he tries to login the same code in the server will be executed. setAttribute("String", object); in this method the string value is a constant one. So, each session object created will be binded by the same string which I have provided. When I try to retrieve the string to validate his session or while logout action taken the getAttribute("String"); ll return the same constant string value(Am I right!!?? Actually I don't know, I'm just thinking of its logic of execution). Then, how can I be able to invalidate.

I saw this type of illustration in all of the tutorials on the WEB. Is it the actual way to set that attribute? Or, real application developers will give a variable in the "String" field to set it dynamically

(ie. session.setAttribut(userName, userName); //Setting the String Dynamically.. I dono is it right or not.)

And my final question is

WebContext ctx = WebContextFactory.get();
request = ctx.getHttpServletRequest();

What do the two lines above do? What will be stored in ctx & request? HttpSession ses = req.getSession(true); will creates new session means. What value stored in ses.

Answer

gawi picture gawi · Sep 8, 2010

Some [random] precisions:

  1. You don't need login/logout mechanisms in order to have sessions.
  2. In java servlets, HTTP sessions are tracked using two mechanisms, HTTP cookie (the most commonly used) or URL rewriting (to support browsers without cookies or with cookies disabled). Using only cookies is simple, you don't have to do anything special. For URL re-writing, you need to modify all URLs pointing back to your servlets/filters.
  3. Each time you call request.getSession(true), the HttpRequest object will be inspected in order to find a session ID encoded either in a cookie OR/AND in the URL path parameter (what's following a semi-colon). If the session ID cannot be found, a new session will be created by the servlet container (i.e. the server).
  4. The session ID is added to the response as a Cookie. If you want to support URL re-writing also, the links in your HTML documents should be modified using the response.encodeURL() method. Calling request.getSession(false) or simply request.getSession() will return null in the event the session ID is not found or the session ID refers to an invalid session.
  5. There is a single HTTP session by visit, as Java session cookies are not stored permanently in the browser. So sessions object are not shared between clients. Each user has his own private session.
  6. Sessions are destroyed automatically if not used for a given time. The time-out value can be configured in the web.xml file.
  7. A given session can be explicitly invalidated using the invalidate() method.
  8. When people are talking about JSESSIONID, they are referring to the standard name of the HTTP cookie used to do session-tracking in Java.