The term user session refers to a series of user application interactions that are tracked by the server. Sessions are used for maintaining user specific state, including persistent objects such as handles to database result sets and authenticated user identities, among many interactions. For example, a session can be used to track a validated user login, followed by a series of directed activities for a particular user.
The session itself resides in the server. For each request, the client transmits the session ID in a cookie or, if the browser does not allow cookies, the server automatically writes the session ID into the URL.
The Web Server supports the servlet standard session interface, called HttpSession, for all session activities.
This section includes the following topics:
As of Web Server, form-login sessions are no longer supported. You can use single sign-on sessions instead.
A cookie is a small collection of information that can be transmitted to a calling browser, which retrieves it on each subsequent call from the browser so that the server can recognize calls from the same client. A cookie is returned with each call to the site that created it, unless it expires.
Sessions are maintained automatically by a session cookie that is sent to the client when the session is first created. The session cookie contains the session ID, which identifies the client to the server on each successive interaction. If a client does not support or allow cookies, the server rewrites the URLs where the session ID appears in the URLs from that client.
You can also configure whether sessions use URL rewriting. For more information, see the sun-web.xml element session-properties Element.
The Web Server security model is based on an authenticated user session. Once a session has been created, the application user is authenticated if authentication is used and is logged into the session.
Additionally, you can specify that a session cookie is only passed on an HTTPS secured connection , so the session can only remain active on a secure channel.
For more information about security, see Chapter 8, Securing Web Applications.