Session Tracking Without Cookies

Session tracking is an essential part of most web applications. By nature, the HTTP protocol is connectionless. This means that each time users click on a hyperlink or submit an XHTML form, the browser establishes a new connection to the web server. Once the request is sent and the response is received, the connection between browser and server is broken.

This presents a problem for servlet authors. Although the browser and web server do not maintain a persistent connection between page views, applications must maintain state information for each user. Stateful applications make technologies like shopping carts possible, for instance. With each request from the browser, the servlet must reestablish the identity of the user and locate his session information.

Servlet Session-Tracking API

The traditional servlet approach to session tracking utilizes the javax.servlet.http.HttpSession interface. This interface allows a web application to store information about a user that persists across page requests. The interface is easy to use, mapping attribute names to attribute values. The code shown here is part of a servlet that uses HttpSession:

public void doGet(HttpServletRequest req, HttpServletResponse res)
        throws ServletException, IOException {
    // retrieve an instance of HttpSession for this user. The "true" parameter
    // indicates that the object should be created if it does not exist.
    HttpSession session = req.getSession(true); // retrieve the cart ...

Get Java and XSLT now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.