7. Session Tracking

Java Servlet Programming, 2nd Edition > 7. Session Tracking

Chapter 7. Session Tracking

HTTP is a stateless protocol: it provides no built-in way for a server to recognize that a sequence of requests all originated from the same user. Privacy advocates may consider this a feature, but most web programmers see it as a major headache because web applications aren't stateless. Robust web applications need to interact back and forth with the user, remembering information about the user between requests. The shopping cart application is a classic example. A client has to be able to put items into his virtual cart, and the server has to remember his items until he checks out several page requests later, or sometimes even days later!

The HTTP state problem can best be understood if you imagine an online chat forum where you are the guest of honor. Picture dozens of chat users, all conversing with you at the same time. They are asking you questions, responding to your questions, and generally making you wish you had taken that typing course back in high school. Now imagine that when each participant writes to you, the chat forum doesn't tell you who's speaking! All you see is a bunch of questions and statements mixed in with each other. In this kind of forum, the best you can do is hold simple conversations, perhaps answering direct questions. If you try to do anything more, such as ask someone a question in return, you won't necessarily know when the answer comes back. This is exactly the HTTP state problem. The HTTP server sees only a series of requests it needs extra help to know exactly who's making a request.^[1]

^[1] If you're wondering why the HTTP server can't identify the client by the connecting machine's IP address, the answer is that the reported IP address could possibly be the address of a proxy server or the address of a server machine that hosts multiple users.

The solution, as you may have already guessed, is for a client to introduce itself as it makes each request. Each client needs to provide a unique identifier that lets the server identify it, or it needs to give some information that the server can use to properly handle the request. To use the chat example, a participant has to begin each of his sentences with something like "Hi, I'm Jason, and. . ." or "Hi, I just asked about your age, and. . ." As you'll see in this chapter, there are several ways for HTTP clients to send this introductory information with each request.

The first half of the chapter explores the traditional session-tracking techniques used by CGI developers: user authentication, hidden form fields, URL rewriting, and persistent cookies. The second half of the chapter demonstrates the built-in support for session tracking in the Servlet API. This support is built on top of the traditional techniques and it greatly simplifies the task of session tracking in your servlets. All the discussion in this chapter assumes the use of a single server. Chapter 12 explains how to handle shared session state across multiple backend servers.