Sun Java System Web Server 6.1 SP6 Programmer's Guide to Web Applications

Introducing Sessions

The term user session refers to a series of user application interactions that are tracked by the server. Sessions are used for maintaining user specific state, including persistent objects (such as handles to database result sets) and authenticated user identities, among many interactions. For example, a session could be used to track a validated user login followed by a series of directed activities for a particular user.

The session itself resides in the server. For each request, the client transmits the session ID in a cookie or, if the browser does not allow cookies, the server automatically writes the session ID into the URL.

The Sun Java System Web Server supports the servlet standard session interface, called HttpSession, for all session activities. This interface enables you to write portable, secure servlets.

This section includes the following topics:

Note –

As of Sun Java System Web Server 6.1, form-login sessions are no longer supported. You can use single sign-on sessions instead.

Sessions and Cookies

A cookie is a small collection of information that can be transmitted to a calling browser, which retrieves it on each subsequent call from the browser so that the server can recognize calls from the same client. A cookie is returned with each call to the site that created it, unless it expires.

Sessions are maintained automatically by a session cookie that is sent to the client when the session is first created. The session cookie contains the session ID, which identifies the client to the browser on each successive interaction. If a client does not support or allow cookies, the server rewrites the URLs where the session ID appears in the URLs from that client.

You can configure whether and how sessions use cookies. See session-properties and cookie-properties elements in the sun-web.xml file, described in Chapter 7, Deploying Web Applications.

Sessions and URL Rewriting

There are two situations in which the Sun Java System Web Server plugin performs implicit URL rewriting:

You can configure whether sessions use URL rewriting. See the session-properties element in the sun-web.xml file, described in Chapter 7, Deploying Web Applications.

Sessions and Security

The Sun Java System Web Server security model is based on an authenticated user session. Once a session has been created, the application user is authenticated (if authentication is used) and logged in to the session. Each interaction step from the servlet that receives a request does two things: generates content for a JSP to format the output, and checks if the user is properly authenticated.

Additionally, you can specify that a session cookie is only passed on a secured connection (that is, HTTPS), so the session can only remain active on a secure channel.

For more information about security, see Chapter 6, Securing Web Applications.