Thursday, March 24, 2011

Chapter 24: Session Tracking Through a URL Rather Than a Cookie

Session Tracking is very useful as you might have learnt in the past few chapters. There is also a feature wherein you can use URL Rewriting instead of using cookies (all our examples in the past chapters were using cookies so this one is new). In this chapter, you are going to learn just that.

So, lets get started!!!

URL Rewriting:

A Web container associates a session with a user by sending and receiving an identifier. This session ID is passed between the client and server. You could place this identifier in the HTML, but servlets are already designed to track this identifier if it is placed in a cookie or in the query string. The cookie is the easiest and happens automatically for you when you create a session. If the user turns off cookies then you can send the identifier back and forth in the query string by including it in every URL that is returned to the client. Though this is a bit of a painful task and is not necessarily used always, it is advised to learn it to cope with situations where cookie tracking is turned off frequently by your users and you still need to use sessions.

You append the session ID in URLs by calling the response's encodeURL(URL) or the encodeRedirectURL() method on all URLs returned by a servlet. This method includes the session ID in the URL only if cookies are disabled; otherwise, it returns the URL unchanged.

Exam Trivia:

The encodeURL method will use URL rewriting only if cookies are disabled else it will not modify the URL and the session will continue to use cookies. Remember that for the exam. Unless the question explicitly states that the cookies are turned off, don't assume it is and think that the URL will be modified by this method

Example Code using URL Rewriting:

Now that we know how to append a session ID in the URL, lets look at an example that does that for us.

import javax.servlet.*;
import javax.servlet.http.*;

public class TestURLRewriteServlet extends HttpServlet
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws IOException, ServletException
HttpSession session = request.getSession(true);
session.setAttribute("sessionNumber", new Integer(22));


PrintWriter out = response.getWriter();
out.println("< html >");
out.println("< body bgcolor=\"white\" > ");
out.println("< head >");

String title = "Session ID Is In URL";
out.println("< title >" + title + "< / title >");
out.println("< / head >");
out.println("< body >");
out.println("< center >");

out.println("< h1 >" + title + "< / h1 >");

out.println("< P >");
out.println("< P >");
out.print(response.encodeURL("ExampleURL?name=" + "Car&value=Ferrari"));

out.println("< / center >");
out.println("< / body >");
out.println(" < / html >");

out.println("< / body >");
out.println("< / html >");

public void doPost(HttpServletRequest request, HttpServletResponse response)
throws IOException, ServletException
doGet(request, response);
When I first ran this code, my cookies were turned on. I saw this in my browser:

However, I then turned off cookies and received this on the next visit:

The JSESSIONID attributed displayed in the output above is used to track sessions when cookies are turned off. This JSESSIONID attribute would get appended to the query strings (URL) when we use the encodeURL() or encodeRedirectURL() methods.

You will probably see this attribute mentioned on the exam. So, just remember whatever you learnt in this chapter…

Previous Chapter: Chapter 23 - Invalidating Sessions

Next Chapter: Quick Recap - Chapters 20 to 24

No comments:

Post a Comment

© 2013 by All rights reserved. No part of this blog or its contents may be reproduced or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the Author.