Monday, April 18, 2011

HttpSession Interview Questions

The following are some questions you might encounter with respect to HttpSessions in any Interview. Sessions are a very powerful feature and any interviewer who is selecting people for his J2EE project would want a person who is confident & comfortable using them.

Apart from the questions below, there are a few articles that I have put up (as part of the SCWCD Certification series) on Sessions that you might find useful. You can use them to revise/review your understanding of Sessions.

They are:

Introduction to Session Management
Storing & Retrieving Session Objects
Session Event Listeners
Invalidating Sessions
Session Tracking Through URL Rewriting
Summary of Session Topics


1. What is a Session?

A Session refers to all the request that a single client makes to a server. A session is specific to the user and for each user a new session is created to track all the requests from that particular user. Sessions are not shared among users and each user of the system will have a seperate session and a unique session Id. In most cases, the default value of time-out* is 20 minutes and it can be changed as per the website requirements.

*Time-Out - The Amount of time after which a session becomes invalidated/destroyed if the session has been inactive.

2. What is Session ID?

A session ID is an unique identification string usually a long, random and alpha-numeric string, that is transmitted between the client and the server. Session IDs are usually stored in the cookies, URLs (in case url rewriting) and hidden fields of Web pages.

3. What is Session Tracking?

HTTP is stateless protocol and it does not maintain the client state. But there exist a mechanism called "Session Tracking" which helps the servers to maintain the state to track the series of requests from the same user across some period of time.

4. What are different types of Session Tracking?

Mechanism for Session Tracking are:
a) Cookies
b) URL rewriting
c) Hidden form fields
d) SSL Sessions

5. What is HTTPSession Class?

HttpSession Class provides a way to identify a user across across multiple request. The servlet container uses HttpSession interface to create a session between an HTTP client and an HTTP server. The session lives only for a specified time period, across more than one connection or page request from the user.

6. Why do we need Session Tracking in a Servlet based Web Application?

In HttpServlet you can use Session Tracking to track the user state. Simply put, it is used to store information like users login credentials, his choices in previous pages (like in a shopping cart website) etc

7. What are the advantage of Cookies over URL rewriting?

Sessions tracking using Cookies are more secure and fast. It keeps the website URL clean and concise instead of a long string appended to the URL everytime you click on any link in the website. Also, when we use url rewriting, it requites large data transfer from and to the server. So, it may lead to significant network traffic and access to the websites may be become slow.

8. What is session hijacking?

If you application is not very secure then it is possible to get the access of system after acquiring or generating the authentication information. Session hijacking refers to the act of taking control of a user session after successfully obtaining or generating an authentication session ID. It involves an attacker using captured, brute forced or reverse-engineered session IDs to get a control of a legitimate user's Web application session while that session is still in progress.

9. What is Session Migration?

Session Migration is a mechanism of moving the session from one server to another in case of server failure. Session Migration can be implemented by:

a) Persisting the session into database
b) Storing the session in-memory on multiple servers.

10. How to track a user session in Servlets?

The interface HttpSession can be used to track the session in the Servlet. Following code can be used to create session object in the Servlet:

HttpSession session = req.getSession(true);

Using this session object, the servlet can gain access to the details of the session.

11. How can you destroy the session in Servlet?

You can call invalidate() method on the session object to destroy the session.

e.g. session.invalidate();

If you have any questions that you want answer for - please leave a comment on this page and I will answer them.

If you have any more questions on Sessions that you have faced during your interviews and wish to add them to this collection - pls drop a note to and I shall be glad to add them to this list.

More Java & J2EE Interview Questions with Answers - Click Here

No comments:

Post a Comment

© 2013 by All rights reserved. No part of this blog or its contents may be reproduced or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the Author.