190 likes | 354 Views
Comp2513 Java Servlets and Sessions. Daniel L. Silver, Ph.D. Objectives. To review the problem that the HTTP connectionless environment poses for E-Commerce Solution 1: hidden fields Solution 2: cookies Solution 3. session control
E N D
Comp2513Java Servlets and Sessions Daniel L. Silver, Ph.D.
Objectives • To review the problem that the HTTP connectionless environment poses for E-Commerce • Solution 1: hidden fields • Solution 2: cookies • Solution 3. session control • Reference: DDEA Ch.7, Sharma p.110-122 and EJP (Ch.4) p.48-63 Daniel L. Silver
Websphere Java ServletRequest Processing Client http://eagle.acadiau.ca/demo/servlet/HelloWorld Browser Tomcat App. Server HTTP Server HTML Internet JVM servlet/HelloWorld HelloWorld.class demo/servlet/ equates to …/demo/WEB-INF/classes/HelloWorld.class Daniel L. Silver
HTTP is Connectionless • The HTTP protocol is connectionless • Knowledge of prior pages visited or, for example, products placed in a shopping cart are easily lost • So how can server applications maintain a sense of a session with a client? • hidden fields • cookies • session control Daniel L. Silver
Hidden Fields in HTML • Solution comes from CGI period • Server hides session information within HTML returned to the client • FORM field INPUT type can be set to “hidden” <INPUT TYPE=“hidden” NAME=“itemsbought” VALUE=“209087,342901”> • Field name and value will be returned to the server by the client when the client submits the form request to the server Daniel L. Silver
Hidden Fields in HTML • Example: http://eagle.acadiau.ca:8080/danstech/HiddenFields.html • Problems with this method? • User can see the hidden info (use source view) • Causes a lot of additional HTTP traffic • Session info is lost if HTML (that contains hidden fields) is lost Daniel L. Silver
Servlets and Cookies • Solution comes from CGI period but has evolved with Java servlets • Servlets send a small piece of data to the client that gets written to a secure disk area: How does the servlet do this? Cookie c = new Cookie(name, value); … response.addCookie(c) • So the session data (products placed in the users shopping cart) can be stored in cookie • Or simply an ID can be placed in the cookie and the server can maintain the session data Daniel L. Silver
Servlets and Cookies • Client browsers will check to see if there is a cookie associated with any request to a server (URL) or a particular server/path … The server can establish the URL specifics: Cookie c = new Cookie(name, value); c.setDomain(“eagle.acadiau.ca”); c.setPath(“/”); • Could be more specific if desired … the above is the default Daniel L. Silver
Servlets and Cookies • Whenever a new request is sent to the server it checks to see if a cookie is included: Cookie[] cookies = request.getCookies(); for (int i = 0; i < cookies.length; i++) { Cookie c = cookies[i]; String name = c.getName(); String value = c.getValue(); … } Daniel L. Silver
Servlets and Cookies A cookie is established by the server in the HTTP response header: Content-type: text/html Set-Cookie: name=value; expires=Sat, 26-Aug-95 15:45:30 GMT; path=/; domain=eagle.acadiau.ca expires= determines the life of the cookie expires= a negative value (default), then cookie expires when the browser exits, so it is never written to disk expires=0 tells the browser to delete the cookie immediately To set a cookie’s life in seconds use the Cookie method: setMaxAge(int expiry) Daniel L. Silver
Servlets and Cookies • Example 1 – A Session cookie: http://eagle.acadiau.ca:8080/examples/servlets/index.html • Full source code http://eagle.acadiau.ca/demo/CookieExample.java • Example 2 – A Persistent Cookie http://eagle.acadiau.ca/demo/PersistentCookieExample.html - Full source code http://eagle.acadiau.ca/demo/PersistentCookieExample.java • Problems with this method? • Cookies have limit life (servlet, browser) and size (4k bytes) • Maximum number of cookies set by browser • User may disable cookie acceptance • Can be inefficient in terms of data communications Daniel L. Silver
Servlets and Cookies • For more information on cookies see • Netscape's Cookie Specification at http://home.netscape.com/newsref/std/cookie_spec.html • Or RFC 2109 at http://www.ietf.org/rfc/rfc2109.txt • Or http://www.cookiecentral.com. Daniel L. Silver
Servlets and Sessions • Solution is most commonly used with Java servlets and JSPs • The Servlet JDK comes with HTTP class that facilitates session management - HttpSession • A session is a connection between a client and server that persists over multiple HTTP request / responses Daniel L. Silver
Servlets and Sessions • A new session is established by using the getSession() method of HttpSession class: HttpSession session = req.getsession(true); • If parameter = “true” the servlet engine checks to see if an session already exists, if so a handle is returned, otherwise a new session is created • Therefore, more than one servlet can participate in a session • Cookies are used to identify a session on the client Daniel L. Silver
Servlets and Sessions Session objects contain various information: HttpSession session = request.getSession(); out.println(rb.getString("sessions.id") + " " + session.getId()); out.println("<br>"); [NOTE: rb is a resource bundle class – replace rb.getString() with ASCII text for your own purposes] out.println(rb.getString("sessions.created") + " "); out.println(new Date(session.getCreationTime()) + "<br>"); out.println(rb.getString("sessions.lastaccessed") + " "); out.println(new Date(session.getLastAccessedTime())); Daniel L. Silver
Servlets and Sessions • Data stored as attribute-value pairs • Three key HttpSession methods: • setAttribute(dataName, dataValue) • getAttributeNames(), getAttribute(dataName) • Examples: String dataName = request.getParameter("dataname"); String dataValue = request.getParameter("datavalue"); if (dataName != null && dataValue != null) { session.setAttribute(dataName, dataValue); } Enumeration names = session.getAttributeNames(); while (names.hasMoreElements()) { String name = (String) names.nextElement(); String value = session.getAttribute(name).toString(); out.println(name + " = " + value + "<br>"); } Daniel L. Silver
Servlets and Sessions • Example: http://eagle.acadiau.ca:8080/examples/servlets/index.html • Full source code http://eagle.acadiau.ca/demo/SessionExample.java • Problems with this method? • Normally, HTTPSession terminates when browser is closed • You may wish to have a business session (shopping tour) extend beyond browser closures Daniel L. Silver