Session Management in Java Web Apps

1. The user requests a webpage.
2. The browser sends the request to the web server.
3. The server sees that there is no “session related information/identifier” in the request.
4. The server sends the JSESSIONID back to the client (e.g. in a cookie, along with the main HTML response).

Session simply means a particular interval of time. Session Tracking is a way to maintain state (data) of an user. It is also known as session management in servlet.

Session management refers to the process of securely handling multiple requests to a web-based application or service from a single user or entity. Typically, a session is started when a user authenticates their identity using a password or another authentication protocol.

Since HTTP and Web Server both are stateless, the only way to maintain a session is when some unique information about the session (session id) is passed between server and client in every request and response. There are several ways through which we can provide unique identifier in request and response.

What is session management and why is it important? Session management is used to facilitate secure interactions between a user and some service or application and applies to a sequence of requests and responses associated with that particular user.

Some of the common ways of session management in servlets are:

• User Authentication.
• HTML Hidden Field.
• Cookies.
• URL Rewriting.
• Session Management API.

Session beans are of three types: stateful, stateless, and singleton.

Session management is used to facilitate secure interactions between a user and some service or application and applies to a sequence of requests and responses associated with that particular user.

Session Management in Java using Servlet Filters and Cookies

1. Step 1: Create a maven project in intelliJ idea.
2. Step 2: Add the required dependencies to the pom.xml. Add the javax.
3. Step 3: Create the login page. 3.1.
4. Step 4: Create the LoginServlet class.
5. Step 5: Create the LoginSuccess.jsp.
6. Step 6: Create the Logout Servlet.

Broken Authentication and Session Management Vulnerabilities (A2:2017) is an OWASP listed vulnerability that recognizes the risk of credentials due to poor identity and access controls implementation.

There are two types of session management – cookie-based and URL rewriting.

You do not need to implement the SessionAware interface in your action unless you need access to the session inside of the action itself. You should redirect the user to a login action, not directly to a JSP page, otherwise you are bypassing the Struts2 framework and losing out on the benefits of using the framework.

Session Management in Java Servlet Web Applications is a very interesting topic. Session in Java Servlet are managed through different ways, such as Cookies, HttpSession API, URL rewriting etc. This is the third article in the series of Web Applications tutorial in Java, you might want to check out earlier two articles too.

HttpSession allows us to set objects as attributes that can be retrieved in future requests. HttpSession getSession() – This method always returns a HttpSession object. It returns the session object attached with the request, if the request has no session attached, then it creates a new session and return it.

Session Management in Java – Cookies Cookies are used a lot in web applications to personalize response based on your choice or to keep track of session. Before moving forward to the Servlet Session Management API, I would like to show how can we keep track of session with cookies through a small web application.