Session management in Servlet

Session is a particular interval of time in which communication between the client and the server is happening with HTTP. This HTTP protocol is a stateless protocol i.e. after response is given to client there is no connection between the client and the server.  HTTP is stateless that means each request is considered as the new request. This mechanism makes the web application more scalable because the server remains free to accept more requests from more clients. In this stateless protocol maintaining the state of a user across multiple requests and response is known as session management. Session Management involves 2 things:

1. 1. Maintaining state of the session 

   2. Maintaining session or session tracking 

Maintaining state of the session

It means storing all the client specific values used by a particular client in a session. When user is doing the conversation with the application running in the server you might need to store the client specific data in some object so that as long as that user is doing the conversation you can access that object which contains the data specific to the particular client. All the values related to a particular client can be stored in two different objects.

1. 1. Cookies object (stores the values in the client side). We can use this object to store client specific values in the client side and this is not recommended. 

   2.  HttpSession object (stores the values in the server side). We can use this object to store client specific values in the server side and this is highly recommended. 

Maintaining session or session tracking

• It means identifying all the multiple requests of a single client and forming one single session. 

• Http is a stateless protocol i.e. after a single request and response scenario there is no connection between the client and the server. 

• The server identifies every request coming from the same client as a new request even though the client is an old client. 

• Due to this problem all the multiple requests coming from the same client should be framed into one single session which is called as maintaining session or session tracking. 

• When we use cookies to store data, we need not to track any session. 

• Session maintenance is done with the help of exchanging an exclusive id called JSESSIONID between the client and the server. 

• The unique JSESSIONID generated by the server for every client is exchanged between the client and server in 4 different ways:- 

1. 1. Cookies. 

   2. URL rewriting. 

   3. Hidden form field. 

   4. SSL (Secure Sockets Layer) 

• By default JSESSIONID will be exchanged using Cookies. 

• The techniques URL rewriting and hidden form field can also be used for maintaining the state of the session along with session tracking. Here we have to continuously and explicitly perform these operations in every request. But for Cookies and HttpSession object only once we have create and save data, later at time we can use the data in the session.  No need to explicitly and continuously perform these operations in every request.