Distributed Web Systems Cookies and Session Tracking Lecturer Department University

Outline Cookies Session tracking Data sharing between servlets

Need for cookies Consider an on-line shopping scenario: But HTTP is a connection-less protocol ! –Once a page is downloaded, the connection between the browser and the web server is closed –Any subsequent request will look like new to the web server –How can we make the web server recognise requests from the same user ? User’s PCWeb server choose 1 st product choose 2 nd product checkout

Cookies let you do that! Small bits of textual information: –Web server can send them to browser to store on the client side –The browser later returns this information unchanged when visiting the same Web site User’s PC Keep this for me please! cookie websitecookie blah User’s PC You left this here last time cookie

Example uses Identifying the user for e-commerce transactions Remembering user name, password (bad idea, actually) Remembering user preferences to customize websites Remembering what user did last time on this website (e.g. for targeted advertising etc)

Problems with cookies Privacy! banner ads search engine on-line shop Leave a cookie with information about the use of the search engine Read the cookie – learn about user’s browsing patterns for another site (search engine)

Sending cookies in servlets Create a Cookie object: –Cookie mycookie = new Cookie(“name”, “value”); Set maximum age of the cookie: –We need to tell the client’s browser how long it should keep the cookie for –cookie.setMaxAge(60*60*24*7); Place cookie into HTTP response headers: –response.addCookie(cookie); –This adds the “Cookie” header to the response time in seconds (a week here)

Reading cookies from client Call request.getCookies(): –Returns an array of Cookie objects – all cookies for this website stored on the client Loop down the array, calling getName() on each Cookie until you find the cookie of interest (i.e. the cookie set by your servlet): Cookie[] cookies = request.getCookies(); if (cookies != null) { for (int i = 0; i<cookies.length; i++) if (cookies[i].getName().equals(“MyCookie”) { // do something with the cookie }

Persistent vs Session Cookies Persistent cookie: –Stored on disk – available even after the browser application is closed and restarted Session cookie: –Stored in the browser’s memory. Once you close the browser application, the cookie is lost. Unless you use setMaxAge(), your cookies will be created as session cookies. Apart from name and age, cookies have some other interesting attributes (please see Core Servlets & JSP for details).

Session tracking Recall the problem we started with: –Need to realise on the web server that a set of separate HTTP requests actually belongs to the same interaction session between user and application. In general, three possible approaches: –Cookies –URL rewriting –Hidden form fields User’s PC Web server choose 1 st product choose 2 nd product checkout

Session tracking (contd.) URL rewriting: –Append some extra data to the end of each URL (e.g. –Problem 1: since the session ID changes, need to generate ALL pages dynamically (inconvenient) –Problem 2: if user leaves website and then comes back via a bookmark, session information can be lost Hidden form fields: –Have hidden entries in forms: –Problem: every page has to be generated dynamically but also ONLY by a form submission

What to do with session ID? Ok, you got your session ID (one way or another), what to do with it on the server? –Need to have some sort of a hash table that links the ID with the associated session data –Need to determine idle sessions and delete expired IDs –Need to generate unique IDs for new sessions User’s PC ID Data processing

Session tracking in servlets Fortunately, servlets and servlet containers already implement this functionality – providing you with the HttpSession object User’s PC HttpSession … s = request.getSession(); // read-write session data … Servlet container Servlet Get the session associated with current request IDData session ID

Session tracking in servlets (cont.) What if the user’s request does not have session ID (e.g. it’s the first user’s visit)? User’s PC HttpSession … s = request.getSession(); // write session data … Servlet container Servlet Get the session associated with current request IDData NO session ID create new Send back cookie with ID Because this may need to send cookies back, it must be called before sending any document content !!!

Session tracking in servlets (contd.) What if I do not want to create a new session when none exists? –E.g. my page needs data from a previous page and will not work correctly otherwise? Use getSession(false) –Returns the current session if one exists –or null otherwise

Reading/writing session data session.getAttribute(“name”) –Get information (object) associated with attribute session.getAttributeNames() –Get names of all attributes in the session session.setAttribute(“name”, Object value) –Store information (object) in the session (replaces the previous value for this attribute if any) session.removeAttribute(“name”) –Remove attribute from the session session.invalidate() –Invalidate all session data (=forget all objects associated with the session and remove the session itself) Use with caution!

Browser vs Server sessions By default, session-tracking is based on cookies that are stored in the browser’s memory (session cookies) –When user restarts the browser – the session is lost –But what about the session data on the server? –Use expire upon inactivity mechanism! User’s PC Session IDSession data

Servlet context What if we want to store data that are not specific to a particular user and that we want to be accessible by all servlets in our application? ServletContext object is the place! –getServletContext() -- returns the ServletContext object –Data access is the same as for the Session object –Data are stored for as long as your application is running (restarting application or the servlet container deletes the data) ServletContext … ServletContext c = getServletContext(); // read-write application data … ServletServlet container

Data sharing summary Storing MethodData shared betweenData lost when Servlet instance variables All requests to this particular servlet from any user Servlet is destroyed HttpSessionAll requests from this particular user to any servlet in the application User’s browser is restarted or server session expires/is invalidated ServletContextAll requests from any user to any servlet in this application The application is restarted

Summary Session tracking is used to provide a stateful interaction between a user and a web server via the stateless HTTP protocol Data stored on the server, session ID on the client –Cookies, URL rewriting, Hidden form fields Servlet context can be used for sharing data between servlets Questions