session tracking in java servlets - george mason...
TRANSCRIPT
![Page 1: Session Tracking in Java Servlets - George Mason Universitymason.gmu.edu/~jbaldo/432Lec10A-Sessions.pdfSession Tracking in Java Servlets James Baldo Jr. SWE 432 Design and Implementation](https://reader031.vdocuments.site/reader031/viewer/2022041915/5e6956dbd251d623750700cc/html5/thumbnails/1.jpg)
Session Tracking in Java Servlets
James Baldo Jr.James Baldo Jr.
SWE 432
Design and Implementation of Software for the Web
![Page 2: Session Tracking in Java Servlets - George Mason Universitymason.gmu.edu/~jbaldo/432Lec10A-Sessions.pdfSession Tracking in Java Servlets James Baldo Jr. SWE 432 Design and Implementation](https://reader031.vdocuments.site/reader031/viewer/2022041915/5e6956dbd251d623750700cc/html5/thumbnails/2.jpg)
Session State Information
• The initial versions of the web suffered from a lack of
state:
HTML
FormServer
HTML
Page
Data info
• If you wanted multiple screens, there was no way for data
8/24/2008 © Offutt, 2004-2007 2
D1D1+D2+D3
Form1 Form2 Form3
Server
Form4
Server
D1+D2 D1+D2+D3+D4D1
Server Server
D1+D2 D1+D2+D3
• If you wanted multiple screens, there was no way for data
to be accumulated or stored
![Page 3: Session Tracking in Java Servlets - George Mason Universitymason.gmu.edu/~jbaldo/432Lec10A-Sessions.pdfSession Tracking in Java Servlets James Baldo Jr. SWE 432 Design and Implementation](https://reader031.vdocuments.site/reader031/viewer/2022041915/5e6956dbd251d623750700cc/html5/thumbnails/3.jpg)
Session Tracking
• Web sites that are service-oriented or e-commerce need to
maintain user states
• This is called session tracking
8/24/2008 © Offutt, 2004-2007 3
• This is called session tracking
![Page 4: Session Tracking in Java Servlets - George Mason Universitymason.gmu.edu/~jbaldo/432Lec10A-Sessions.pdfSession Tracking in Java Servlets James Baldo Jr. SWE 432 Design and Implementation](https://reader031.vdocuments.site/reader031/viewer/2022041915/5e6956dbd251d623750700cc/html5/thumbnails/4.jpg)
Session Tracking (2)
• Session tracking refers to passing data from one HTTP
request to another
• Servlets can use several methods to do session
tracking:
1. Include data as extra parameters in URL (rewriting)
2. Hidden form fields
8/24/2008 © Offutt, 2004-2007 4
2. Hidden form fields
3. Cookies
3.b) Cookies within Servlet API session tracking tools
4. Sessions using the Secure Sockets Layer (SSL)
(not discussed in 432)
SessionSession:: A series of related interactions between a client A series of related interactions between a client
and a web server (similar to a and a web server (similar to a use caseuse case))
![Page 5: Session Tracking in Java Servlets - George Mason Universitymason.gmu.edu/~jbaldo/432Lec10A-Sessions.pdfSession Tracking in Java Servlets James Baldo Jr. SWE 432 Design and Implementation](https://reader031.vdocuments.site/reader031/viewer/2022041915/5e6956dbd251d623750700cc/html5/thumbnails/5.jpg)
Session Tracking (3)
Request with a TokenClient Client
CC
Server Server
SS
8/24/2008 © Offutt, 2004-2007 5
CC SSResponse with a Token
All four work by exchanging a token
between the client and the server
![Page 6: Session Tracking in Java Servlets - George Mason Universitymason.gmu.edu/~jbaldo/432Lec10A-Sessions.pdfSession Tracking in Java Servlets James Baldo Jr. SWE 432 Design and Implementation](https://reader031.vdocuments.site/reader031/viewer/2022041915/5e6956dbd251d623750700cc/html5/thumbnails/6.jpg)
Non-servlet Methods (Stone Age)1) URL Rewriting
• Forms usually add parameters
URL ? P1=v1 & P2=v2 & P3=v3 & …
• You can add values in the URL as a parameter:
HREF = "../servlet/X ? SneakyParam=42">
or: User=george">
8/24/2008 © Offutt, 2004-2007 6
• This is used as a key to find the saved information about the user
george.
– Messy and clumsy
– Long URLs
– Information on URL is public
– All HTML pages must be created dynamically
![Page 7: Session Tracking in Java Servlets - George Mason Universitymason.gmu.edu/~jbaldo/432Lec10A-Sessions.pdfSession Tracking in Java Servlets James Baldo Jr. SWE 432 Design and Implementation](https://reader031.vdocuments.site/reader031/viewer/2022041915/5e6956dbd251d623750700cc/html5/thumbnails/7.jpg)
Non-servlet Methods2) Hidden Form Fields
• Generate HTML pages with forms that store
“hidden” information:
<INPUT Type=hidden Name=USER Value=george>
8/24/2008 © Offutt, 2004-2007 7
<INPUT Type=hidden Name=USER Value=george>
• Somewhat clumsy
• Insecure
• All HTML pages must be created dynamically
![Page 8: Session Tracking in Java Servlets - George Mason Universitymason.gmu.edu/~jbaldo/432Lec10A-Sessions.pdfSession Tracking in Java Servlets James Baldo Jr. SWE 432 Design and Implementation](https://reader031.vdocuments.site/reader031/viewer/2022041915/5e6956dbd251d623750700cc/html5/thumbnails/8.jpg)
Non-servlet Methods3) Cookies
• Cookies are small files or text strings stored on the client’s computer
• Created by the web browser
• Arbitrary strings stored on the client
• From the server’s (Java) perspective: var=value pairs
8/24/2008 © Offutt, 2004-2007 8
• From the server’s (Java) perspective: var=value pairs
• Java coding:
Cookie c = new Cookie (“user”, “george”);
c.setMaxAge (5*24*60*60); // expires in 5 days, in seconds
response.addCookie (c); // sends cookie to client.
![Page 9: Session Tracking in Java Servlets - George Mason Universitymason.gmu.edu/~jbaldo/432Lec10A-Sessions.pdfSession Tracking in Java Servlets James Baldo Jr. SWE 432 Design and Implementation](https://reader031.vdocuments.site/reader031/viewer/2022041915/5e6956dbd251d623750700cc/html5/thumbnails/9.jpg)
Non-servlet Methods3) Cookies – cont.
• Cookies are very useful and simple
• Not stored with the HTML content
• Convenient way to solve a real problem
• But cookies are scary!
8/24/2008 © Offutt, 2004-2007 9
• But cookies are scary!
– It’s as if I stored my files at your house
– Cookies go way beyond session tracking
– Cookies provide a way to do behavior tracking
![Page 10: Session Tracking in Java Servlets - George Mason Universitymason.gmu.edu/~jbaldo/432Lec10A-Sessions.pdfSession Tracking in Java Servlets James Baldo Jr. SWE 432 Design and Implementation](https://reader031.vdocuments.site/reader031/viewer/2022041915/5e6956dbd251d623750700cc/html5/thumbnails/10.jpg)
Bronze-age method
3.b) Servlet API
• Cookies are handled automatically
• HttpSession stores data in the current active object
The servlet API uses cookies to provide a simple,
safe, flexible method for session tracking
8/24/2008 © Offutt, 2004-2007 10
• HttpSession stores data in the current active object
• Data disappears when the object is destroyed
• Object is destroyed after the session ends, by
default 30 minutes after the last request
![Page 11: Session Tracking in Java Servlets - George Mason Universitymason.gmu.edu/~jbaldo/432Lec10A-Sessions.pdfSession Tracking in Java Servlets James Baldo Jr. SWE 432 Design and Implementation](https://reader031.vdocuments.site/reader031/viewer/2022041915/5e6956dbd251d623750700cc/html5/thumbnails/11.jpg)
Servlet API (2)
• void setAttribute (String name, Object attribute) : Adds an item
to the session
• Object getAttribute (String name) : Returns the value stored for
the given name
• void removeAttribute (String name) : Removes an item from the
session
• Enumeration getAttributeNames() : Returns an enumeration of all
8/24/2008 © Offutt, 2004-2007 11
• Enumeration getAttributeNames() : Returns an enumeration of all
the value names that are stored for this session
• String getID() : Returns the session ID
• void invalidate() : Removes the current session
![Page 12: Session Tracking in Java Servlets - George Mason Universitymason.gmu.edu/~jbaldo/432Lec10A-Sessions.pdfSession Tracking in Java Servlets James Baldo Jr. SWE 432 Design and Implementation](https://reader031.vdocuments.site/reader031/viewer/2022041915/5e6956dbd251d623750700cc/html5/thumbnails/12.jpg)
Servlet API (3)
• These methods are not synchronized
• Multiple servlets can access the same session object at the
same time
8/24/2008 © Offutt, 2004-2007 12
• If this can happen, your program should synchronize the
code that modifies the shared session attributes
![Page 13: Session Tracking in Java Servlets - George Mason Universitymason.gmu.edu/~jbaldo/432Lec10A-Sessions.pdfSession Tracking in Java Servlets James Baldo Jr. SWE 432 Design and Implementation](https://reader031.vdocuments.site/reader031/viewer/2022041915/5e6956dbd251d623750700cc/html5/thumbnails/13.jpg)
Using Session Objects
• Get a session object:
HttpSession s = request.getSession (true);
– true: create if it does not exist.
– false: return null if it does not exist.
• Put objects into the session object (cannot put primitive types):
s.setAttribute (“answer”, 42); // does not work
s. setAttribute (“answer”, new Integer (42));
8/24/2008 © Offutt, 2004-2007 13
s. setAttribute (“answer”, new Integer (42));
• Getting primitive values from session objects:
Integer ansobj = (Integer) s.getAttribute (“answer”);
int ans = ansobj.intValue ();
• Deleting session:
s.invalidate (); // Information is thrown away
![Page 14: Session Tracking in Java Servlets - George Mason Universitymason.gmu.edu/~jbaldo/432Lec10A-Sessions.pdfSession Tracking in Java Servlets James Baldo Jr. SWE 432 Design and Implementation](https://reader031.vdocuments.site/reader031/viewer/2022041915/5e6956dbd251d623750700cc/html5/thumbnails/14.jpg)
Session Definition
• The web server
– Servlet container
– Servlet context
• The client
A session is defined byA session is defined by
8/24/2008 © Offutt, 2004-2007 14
• The client
– IP address
– Browser
• Session objects are kept on the server
• Each session object uses different parts of memory
(instances of data values) on the server
![Page 15: Session Tracking in Java Servlets - George Mason Universitymason.gmu.edu/~jbaldo/432Lec10A-Sessions.pdfSession Tracking in Java Servlets James Baldo Jr. SWE 432 Design and Implementation](https://reader031.vdocuments.site/reader031/viewer/2022041915/5e6956dbd251d623750700cc/html5/thumbnails/15.jpg)
Session Objects in General
• Generally speaking, session handling is really about sharing data
• A Web application is comprised of several software components
• The characteristics of a Web app means that the components do not communicate directly
8/24/2008 © Offutt, 2004-2007 15
components do not communicate directly
– Independent processes (really, threads)
– Stateless protocol
– Client-server or N-tier architecture
– Execution flow always goes through a client
How can these independent components share data?
![Page 16: Session Tracking in Java Servlets - George Mason Universitymason.gmu.edu/~jbaldo/432Lec10A-Sessions.pdfSession Tracking in Java Servlets James Baldo Jr. SWE 432 Design and Implementation](https://reader031.vdocuments.site/reader031/viewer/2022041915/5e6956dbd251d623750700cc/html5/thumbnails/16.jpg)
Data Scope
• Access levels (scope) in Java:
– private (within a class)
– protected (within package and through inheritance)
– package (inheritance within the package)
– public (entire application)
• Data sharing in Java:
8/24/2008 © Offutt, 2004-2007 16
• Data sharing in Java:
– Two components can share data if they are in the same scope
– Two components can share data by passing parameters
BUT … Public access and parameter passing are not
possible in Web applications!
![Page 17: Session Tracking in Java Servlets - George Mason Universitymason.gmu.edu/~jbaldo/432Lec10A-Sessions.pdfSession Tracking in Java Servlets James Baldo Jr. SWE 432 Design and Implementation](https://reader031.vdocuments.site/reader031/viewer/2022041915/5e6956dbd251d623750700cc/html5/thumbnails/17.jpg)
Example
Client
Servlet S1
Consider a small Web app with 2 servlets and 3 JSPs
Servlet S2
8/24/2008 © Offutt, 2004-2007 17
Client
JSP 3
JSP 2
JSP 1
How can the servlets and JSPs share data?
![Page 18: Session Tracking in Java Servlets - George Mason Universitymason.gmu.edu/~jbaldo/432Lec10A-Sessions.pdfSession Tracking in Java Servlets James Baldo Jr. SWE 432 Design and Implementation](https://reader031.vdocuments.site/reader031/viewer/2022041915/5e6956dbd251d623750700cc/html5/thumbnails/18.jpg)
Sharing Data : Hidden Form Fields
• Flows of control go through the client
• Data that must be passed from one software component to
another can be stored in hidden form fields in the HTML
pages
• Several problems:
– Insecure – users can see the data
8/24/2008 © Offutt, 2004-2007 18
– Insecure – users can see the data
– Unreliable – users can change the data
– Undependable – users can use the back button, direct URL entry,
and URL rewriting to skip some hidden form fields
• Still useful in limited situations
![Page 19: Session Tracking in Java Servlets - George Mason Universitymason.gmu.edu/~jbaldo/432Lec10A-Sessions.pdfSession Tracking in Java Servlets James Baldo Jr. SWE 432 Design and Implementation](https://reader031.vdocuments.site/reader031/viewer/2022041915/5e6956dbd251d623750700cc/html5/thumbnails/19.jpg)
Sharing Data : Session Object
• One program component can store a value in the session
object
• Another component can retrieve, use, and modify the value
• Depends on the servlet container:
– Software components are threads, not processes
– Servlet container stays resident and can keep shared memory
8/24/2008 © Offutt, 2004-2007 19
– Servlet container stays resident and can keep shared memory
![Page 20: Session Tracking in Java Servlets - George Mason Universitymason.gmu.edu/~jbaldo/432Lec10A-Sessions.pdfSession Tracking in Java Servlets James Baldo Jr. SWE 432 Design and Implementation](https://reader031.vdocuments.site/reader031/viewer/2022041915/5e6956dbd251d623750700cc/html5/thumbnails/20.jpg)
session
object
ServletServlet
ContainerContainer
Session Data Example
Servlet S1
Software components share “container” access data
Servlet S2
8/24/2008 © Offutt, 2004-2007 20
Client
JSP 3
JSP 2
JSP 1
Servlet S2
![Page 21: Session Tracking in Java Servlets - George Mason Universitymason.gmu.edu/~jbaldo/432Lec10A-Sessions.pdfSession Tracking in Java Servlets James Baldo Jr. SWE 432 Design and Implementation](https://reader031.vdocuments.site/reader031/viewer/2022041915/5e6956dbd251d623750700cc/html5/thumbnails/21.jpg)
Login Example
Form Entry
isLoggedIn: T/F
2. Check isLoggedIn
4. Set isLoggedIn
3. if isLoggedIn false
1. User request
8/24/2008 © Offutt, 2004-2007 21
Login
View Data
isLoggedIn: T/F
userID: string
4. Set isLoggedIn
true and set userID
6. Check isLoggedIn7. if isLoggedIn false
5. User request
![Page 22: Session Tracking in Java Servlets - George Mason Universitymason.gmu.edu/~jbaldo/432Lec10A-Sessions.pdfSession Tracking in Java Servlets James Baldo Jr. SWE 432 Design and Implementation](https://reader031.vdocuments.site/reader031/viewer/2022041915/5e6956dbd251d623750700cc/html5/thumbnails/22.jpg)
More on Maintaining State
1. User session state
Cookies and session object
2. Multi-user session state
Sometimes we want to share session data among
multiple clients
8/24/2008 © Offutt, 2004-2007 22
Servlet-context object
Why do we need them?
– Chat rooms: Allow multiple users to interact
– Group working: Online meeting
– Online bidding
– Reservation systems
![Page 23: Session Tracking in Java Servlets - George Mason Universitymason.gmu.edu/~jbaldo/432Lec10A-Sessions.pdfSession Tracking in Java Servlets James Baldo Jr. SWE 432 Design and Implementation](https://reader031.vdocuments.site/reader031/viewer/2022041915/5e6956dbd251d623750700cc/html5/thumbnails/23.jpg)
Servlet Context Object
• Information about servlet’s environment:
– Server name
– MIME type
The servlet context object supports resources
that can be shared by groups of users:
8/24/2008 © Offutt, 2004-2007 23
– MIME type
• Method to write to a log file (log())
• Share information through context attributes
1. getAttribute()
2. setAttribute()
3. removeAttribute()
![Page 24: Session Tracking in Java Servlets - George Mason Universitymason.gmu.edu/~jbaldo/432Lec10A-Sessions.pdfSession Tracking in Java Servlets James Baldo Jr. SWE 432 Design and Implementation](https://reader031.vdocuments.site/reader031/viewer/2022041915/5e6956dbd251d623750700cc/html5/thumbnails/24.jpg)
Session Summary
• A session is a single coherent use of the system by the
same user
• Sessions need to maintain state
• Maintaining state is difficult because HTTP is stateless
• J2SE applications keep track of state within the session
object
8/24/2008 © Offutt, 2004-2007 24
object
– The session object is based on cookies
– Cookies are handled by the software libraries, giving a useful
abstraction for programmers