One of the ways to keep track of session between the client and the server is through the use of cookies. A cookie is a piece of information that a web server sends to the browser.

The web server assigns a unique ID as a cookie to each client. It sends the cookie to the client by embedding it in the response header. With each request, the client sends this cookie value to the server. Using this value, the server identifies the user. Cookie is usually used to maintain the information about the client (such as user ID, name, etc.) that is needed every time a client visits the website. A cookie is constructed using the following constructor of Cookie class. public Cookie(String name, String val)

A servlet to create cookies and add them to the response header

import java.io.* ;

import javax.servlet.*;

import javax.servlet.http.*;

public class CreateCookies extends HttpServlet

{

   public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException

   {

       Cookie name = new Cookie(“name”, request.getParameter(“name”));

       // Create cookie for name

       Cookie age= new Cookie(“age”, request.getParameter(“age”));

       // Create cookie for age

       name.setMaxAge(60*60*12); //60*60*24

       age.setMaxAge(60*60*12); // 60*60*24

       // Set expiry date after 12 Hrs for both the cookies

       response.addCookie(name);

       response.addCookie(age);

       // Add both the cookies in the response header

       response.setContentType(“text/html”);

       // Set response content type

       PrintWriter out= response.getWriter();

       String title = “Example to Set Cookies”;

       out.println(“<html>\n” +”<head><title>” + title+

       “</title></head>\n” +”<body >\n” +

       “<h1 align=\”center\”>” + title + “</h1>\n” +

       “<ul>\n” + “<li><b>Name</b>: “

       + request.getParameter(“name”) + “\n” +

       ” <li><b>Age</b>: “

       + request.getParameter(“age”) + “\n” +

       “</ul>\n” + “</body></html>”);

    }

}

This example creates two cookies using the Cookie () constructor. First one is name having the name “name” and the value of the “name” parameter. Other one is age having the name “age” and value of the “age” parameter. The maximum age of both the cookies is set to 12 hrs; the browser will keep this cookie information for 12 hrs. These cookies are then added to the HTTP response header using addCookie () method.

HTML code to call the servlet named CreateCookies is as follows:

<HTML>

   <BODY>

      <FORM ACTION=”servlet/CreateCookies” METHOD=” GET”>

            Name: <INPUT TYPE=”text” NAME=”name”>

      <BR/>

            Age: &nbsp;&nbsp;&nbsp;<INPUT TYPE=”text” NAME=”age” />

             <BR><BR>

              <INPUT TYPE=”submit” VALUE=”Submit” />

      </FORM>

    </BODY>

</HTML>

Compile the servlet CreateCookies and create appropriate entry in web.xml file. Type the URL https://ecomputernotes.com:8080/CreateCookies in the browser. It will display the output shown in Figure

Enter the Name and Age, and then click the submit button on the web page. It will display the output and set two cookies named name and age, which will be passed to the server every time when the submit button is clicked.

A servlet to retrieve cookies from the HTTP request header

import java.io.*;

import javax.servlet.*;

import javax.servlet.http.*;

public class ReadCookies extends HttpServlet

{

    public void doGet(HttpServletRequest request,HttpServletResponse response) throws ServletException, IOException

   {

        Cookie cookie = null;

        Cookie[] cookies= null;

        cookies= request.getCookies();

        // Get an array of Cookies

        response.setContentType(“text/html”);

        // Set response content type

        PrintWriter out= response.getWriter();

        String title = ” Example to Read Cookies”;

        out.println(“<html>\n” +”<head><title>” + title+

        “</title></head>\n” +”<body>\n” );

        if( cookies !=null )

          {

              out.println(“<h2> Cookies found: Name and Value</h2>”);

              for (int i = 0; i < cookies.length; i++)

                   {

                        cookie= cookies[i];

                        out.print(“Name : “+cookie.getName( )+”, “);

                        out.print(“Value: “+cookie.getValue( )+”<br/>”);

                   }

           }

                  else

                      {

                          out.println(“<h2>No cookies exist</h2>”);

                      }

                          out.println(“</body>”);

                          out.println(“</html>”);

     }

}

In this example, the cookies that are included in the HTTP request header are retrieved by calling getcookies () method of HttpServletRequest object.. This method returns an array of cookie objects for the current request. The name and value associated with each cookie is obtained using the getName () and get Value () methods respectively. The names and values of these cookies are then written to HTTP response.

Compile the servlet ReadCookies and create appropriate entry in web.xml file. Type the URL https://ecomputernotes.com:8080/ReadCookies in the browser. It will display the output shown in Figure

HTTP is a stateless protocol; each time a client requests for a page, a separate connection is established between the client and the server. Thus, it provides no way for a server to maintain information for a particular user across multiple requests. There are many web applications where it is required to maintain this information. For example, in case of shopping cart, it is required to keep track of the list of items that are added in each user’s cart. For this, the server must provide a way to store data for each client and distinguish clients from one another.

Session provides such mechanism. A session consists of all the requests that are made during invocation of a single browser. The servlet manages the session using HttpSession interface. Using this interface, a session can be created between an HTTP client and an HTTP server. This session exists for a specified period of time across a sequence of requests from a user.

A servlet to keep track of the number of times a user has visited a site during the current session using interface HttpSession

import java.io.*;

import javax.servlet.*;

import javax.servlet.http.*;

import java.util.*;

public class SessionTrackingExample extends HttpServlet

{

    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException

   {

       HttpSession session= request.getSession(true);

       // Create a session object if does not exist

       Date createTime =new Date(session.getCreationTime());

       // Get session creation time

       Date lastAccessTime = new Date(session.getLastAccessedTime());

       // Get sessions last access time

       String title = “Welcome Back !”;

       Integer visitCounter =new Integer(0);

       String userID =new String(“xyz”);

       if (session.isNew())

          {

               title= “Welcome !”;

               session.setAttribute(“userID”, userID);

          }

          else

             {

                 visitCounter = (Integer) session.getAttribute(“visitCount”);

                 visitCounter = visitCounter + 1;

                 userID = (String)session.getAttribute(“userID”);

             }

             session.setAttribute(“visitCount”, visitCounter);

             // Check if this is new Visitor

             response.setContentType(“text/html”);

             PrintWriter out= response.getWriter();

             out.println(“<html>\n” +”<head><title>” + title+

             “</title></head>\n” + “<body\”>\n” +

             “<h1 align=\”center \”>”+title + “</h1>\n” +

             “<h2 align=\”center\”>Session Details</h2>\n” +

             “<table border=\”1\” align=\”center\”>\n” + 

             “<tr\”>\n” +

             “<th>Session info</th><th>value</th></tr>\n”+

             “<tr>\n” + ” <td>Id</td>\n” +

             “<td>” + session.getId() + “</td></tr>\n” +

             “<tr>\n” +” <td>Session Creation Time</td>\n” +

             “<td>” + createTime + ” </td></tr>\n” +

             “<tr>\n” + ” <td>Last Accessed at</td>\n” +

             “<td>” + lastAccessTime + ” </td></tr>\n” +

             “<tr>\n” + ” <td>Visitor ID</td>\n” +

             “<td>” + userID + ” </td></tr>\n” +

             “<tr>\n” + ” <td>Number of visits</td>\n” +

             “<td>” + visitCounter + “</td></tr>\n” + 

             “</table>\n” + “</body></html>”);

     }

}

In this example, a session is created using the getSession () method of HttpServletRequest interface. The single parameter to this method indicates that a new session must be created if it does not exist. This method returns an HttpSession object. To access the properties of session including the session identifier, different methods, namely, getCreationTime(), lastAccessTime(), SetAttribute(), getAttribute(), and get Id ()are invoked using the session object.

Compile the servlet SessionTrackingExample and create appropriate entry in web.xml file. Type the URL https://ecomputernotes.com:8080/SessionTrackingExample in the browser. On first run, it will display the output shown in Figure

In a web server, a session is a collection of all the requests made by a client (browser). HTTP is a stateless protocol. Between requests, it does not maintain any state of the client (browser). Suppose the client makes request for a web page, it should be checked whether the request is from an authorized user. It is impossible to check the authorization for each web page. It is necessary to maintain some information of the user while a user navigates between web pages. Thus, it is useful to maintain the state of client. The following processes arc used to maintain the state of a client:

• URL rewriting

• Hidden fields

• Cookies

• Sessions

Hidden fields Hidden fields are the easiest way of maintaining the state of a client. These are the same as the HTML input tags. These are specified as follows:

<inputtype=“HIDDEN” name=“item” value=“Book” >

These tags will not display anything on the web page but are very useful to present some information to the next page as name-value pairs.

Rewriting URLs Rewriting the URL plays an important role in the session management of the HTTP. This method passes the state information between the client and server by embedding the information as name-value pairs in the URL.

  <A href =“SampleServletlitem = Book&quantity =5“>ltems</A> or                

   <form method =“Get” action=“SampleServlet?item = Book&quantity=5“>

Name-value pairs are placed within the anchor tag separated by the ampersand (&). The Servlet API is capable of accessing the QueryString (name-value pairs after the URL that are found after the question mark (?)) by using the getParameterValue() and getParameterNames() methods of the ServletRequest object.

Cookies Another way to maintain the state of a client is by using cookies. A cookie is an object sent by the server to a client. A cookie is created by the server and sent to the client along with the requested response. Each cookie has a definite lifetime. In general, cookies are insecure and, thus, they are considered to make privacy issues difficult.

Cookies contain small bits of information created by the server and stored at the client machine. These are created when the client makes the first request to the servlet. They are sent to the client along with the response and stored in the client. With each subsequent request, the client sends the information contained in these cookies to the server as the request header.

The Servlet API provides the Cookie class to tackle the concept of cookies. This class manipulates all the technologies of the cookie. The constructor of the Cookie class is the following:

         public Cookie(String name ,String value);                    

After the Cookie class is created, some value is stored within this and it is added to the HttpServletReponse object using the addCookie method, as shown below:

         addCookie(cookie);

It is important that the cookie must be added to the response before any other response is created, including the content type.

Http sessions The state of the HTTP can also be maintained by using sessions. Like cookies, sessions are also used to store information except that the information is stored in the server machine under an unique session identification number. These session identification numbers also exist at the client as cookies. When a request is made, then the session identification number is also sent along with the request information so that the server can uniquely identify the client and provide the client information. The Servlet API provides the interface Httpsession which maintains the relevant information such as the unique session identification number and client specific information. The syntax for using HttpSession is as follows:

                      HttpSession session= httpservletrequest.getSession( )

Here httpservletrequest is an object of the HttpServletRequest interface.

Program Using HttpSession to maintain information on the client’s state.

import javax.servlet.*; 
import javax.servlet.http.*; 
import java.io.*; 
public class TestServlet extends HttpServlet 
{ 
    String Name; 
    public void init(ServletConfig config) throws ServletException 
   { 
        super.init(config);  
         Name=config.getlnitParameter("name"); 
    } 
  public void doGet(HttpServletRequest req,HttpServletResponse res) throws                  ServletException, IOException 
    {  
         res.setContent Type("text/html"); 
        PrintWriter pout=res.getWriter(); 
         // getting the session object 
        HttpSession session=req.getSession(); 
        pout.write("Getting the Session id of servlet;"+ session.getld()); 
        pout.write("Here we are setting the session interval"); 
        session. set MaxInactivelnterval(20); 
         // lnactive Interval is set 
        pout.write("The Inactive interval:"+ session.getMaxlnactivelnterval()); 
        session.putValue("name", "Kumar"); 
        pout.write("Getting the session value:"+ session.getValue("name")); 
        session.invalidate(); 
       pout.close(); 
    } 
       public void destroy(){} 
} 
                        
 

Usually the following four steps are followed while using sessions in servlets.

1. Accessing the Session object associated with the current request: In this step, invoke the getSession () method of the HttpServletRequest to return the HttpSession object.

2. Store objects into a Session object using setAttribute () method.

3. Discard session data if necessary-Call removeAttribute () to discard a specific value. Call invalidate () to discard the entire session.

Now let us consider a program where we create a servlet that uses a session to keep track of how many times a client has visited the webpage. In addition, the servlet also displays the information related to the session such sessionID, creation time, last accessed time.

import java.io.*;

import java.util.Date;

import javax.servlet.*;

import javax.servlet.http.*; 

public class SessionSevlet extends HttpServlet

{

     public void doGet (HttpServletRequest request, HttpServletResponse

    response) throws ServletException, IOException)

     {

          response.setContentType (“text/html”);

          PrintWriter out = response.getWriter ();

          HttpSession session = request.getSession ();

          Integer count = (Integer) session.getAttribute (“count”);

          if (count == null)

          count = new Integer (l);

          else

          count =new Integer (count.intValue () +1);

          session.setAttribute (“count”, count);

          out.println (“<html> <head> <title> Session Demo </title> </head>”);

          out.println (“<body> <h2> Session Information </h2>”);

          out.println (“No. of times you have visited this page =” +count);

          out.println (“<h3> Current session details: </h3>”);

          out.println (“Session id:” +session.getId () +”<br/>”);

          out.println (“New session:” +session.isNew () +”<br/>”);

          out.println (“Timeout:” +session.getMaxInactiveInterval () +”<br/>”);

          out.println (“Creation time:” +new Date (session.getCreationTime () +”<br/>”);

          out.println (“Last access time:” +new Date (session.getLastAccessedTime ()

           +”<br/>”);

          out.println (“</body> </html>”);

       }

}                  

Explanation : In the above program, the statement

HttpSession session = request.getSession ();

returns a session associated with the user making the request. If the session does not exists it creates a new session. This is the first step required for creating and tracking HttpSession. Then the statement,

Integer count = (Integer) session.getAttribute (“count”);

returns a value associated with the session variable count. Since the getAttribute () method returns an Object type cast to it, the appropriate type before calling any methods on it. In our case, we have type cast it to Integer object because we want to display the value of count as an integer. The next statements,

if (count == null)

count = new Integer(l);

else

count = new Integer(count.intvalue () +l);

checks whether count object is null or not. It is null (i.e. there is no such object), the servlet starts a new count. Otherwise, it replaces the Integer with a new Integer whose value has been incremented by 1.

Finally, the servlet generates the html code that displays the number of times the client has visited the page along with other session information.

Cookies enable you to store the session information on the client side which has the following advantages,

• Persistence: One of the most powerful aspects of cookies is their persistence. When a cookie is set on the client’s browser, it can persist for days, months or even years. This makes it easy to save user preferences and visit information and to keep this information available every time the user returns to your site. Moreover, as cookies are stored on the client’s hard disk so if the server crashes they are still available.

• Transparent: Cookies work transparently without the user being aware that information needs to be stored.

• They lighten the load on the server’s memory.

 Disadvantages of Cookies

The following are the disadvantages of cookies :

• Sometimes clients disable cookies on their browsers in response to security or privacy worries which will cause problem for web applications that require them.

• Individual cookie can contain a very limited amount of information (not more than 4 kb).

• Cookies are limited to simple string information. They cannot store complex information.

• Cookies are easily accessible and readable if the user finds and reopens.

• Most browsers restrict the number of cookies that can be set by a single domain to not more than20 cookies (except Internet Explorer). If you attempt to set more than 20 cookies, the oldest cookies are automatically deleted.

In order to read cookies that come back from the client (browser) in request header, you need to call getCookies () method of the HttpServletRequest. If the request contains no cookies this method returns null.

The following statement retrieve the cookies sent in the request header.

Cookie [] cookies = request.getCookies ();

Once you have an array of cookies, loop through the cookie array in order to retrieve information about each cookie.

The following code will retrieve the cookies sent by the client.

import.java.io.*;

import.javax.servlet.*;

import.javax.servlet.http.*;

public class RetrieveCookie extends HttpServlet

{

      Public void doGet (HttpServletRequest request, HttpServletResponse

     response) throws ServletException, IOException

      {

           PrintWriter out;

           //set content type and other response header files first

           response.setContentType (“text/html”);

         //write the data of the response

          out = response.getWriter ();

          //get cookie from HTTP request header

         Cookie [] cookies = request.getcookies ();

         out.println (“<HTML> <HEAD> <TITLE> Retrieving cookies </TITLE>

         </HEAD>”);

         out.println (“<BODY>”);         

         //check whether cookies exist

         if (cookies != null)                                             

         {

               for (int i=0; i<cookies.length; i++ )

               {

                   //display these cookies

                   out.println (“Cookie Name:” + cookies [i].getName ());

                   out.println (“Value:” +cookies [i].getValue ());

                   out.println (“<br>”);

               }

          }

          else

          {

               out.println (“No cookies exist”);

          }

          out.println (“</BODY> </HTML>”);

          out.close ();

      }

}

Output: Cookie Name: name Value: daljeet

              Cookie Name: email Value: [email protected]

NOTE: When you loop through the cookie array. You might get irrelevant cookies in addition to the cookies send by you. If you want only to display the cookies send by you call getName () method on each cookie until you find one that matches with name of the cookie that you have set.

Sending cookies to the client involves the following steps,

1. Create a Cookie object.

2. Setting the maximum age.

3. Placing the Cookie into the HTTP response headers.

Creating a Cookie Object

You create a cookie by calling the Cookie constructor that takes the following form Cookie(String cookieName, String cookieValue)

For example:

Cookie c = new cookie (“email”, “[email protected]”);

It creates a cookie c with a name email and value [email protected]

Setting the Maximum Age (OPTIONAL)

By default, when a cookie is sent to the browser it is stored in the browser’s memory and deleted when the user closes the browser. If you want to store the cookie on the hard disk instead of memory, use setMaxAge () method to specify how long (in seconds) the browser should keep the cookie before it expires. For example, on using the statements

c.setMaxAge (60*60);

The browser will delete the cookie after 60 minutes.

Place the Cookie in Response Headers

After creating the cookie object and calling the setMaxAge () method, the next step is to send the cookie to the client. In order to send the cookie, call the addCookie () method of HttpServletResponse. This method will insert the cookie into a Set-Cookie response header. For example,

response.addCookie (c);

Now let us consider a servlet that will create two cookies named Name and email and send it to the client.

import java.io.*;

import javax.servlet.*;

import javax.servlet.http.*;

public class setCookie extends HttpServlet

{

    public void doGet (HttpServletRequest request, HttpServletResponse

    response) throws ServletException, IOException

    {

        PrintWriter out;

        //set content type and other response header fields first

        response.setContentType (“text/html”);

        //write the response of the data

        out = response.getWriter ();

        //create a cookie            

       Cookie c1 = new Cookie (“name”, “Daljeet”);

       Cookie c2= new Cookie (“email”, “[email protected]”);

       response.addCookie (c1);  

       response.addCookie (c2); 

       out.println (“<HTML> <HEAD> <TITLE>”);

       out.println (“Settings cookies”);

       out.println (“</TITLE> </HEAD> <BODY>”);

       out.println (“Two cookies are set named: name and email”);

       out.println (“</BODY> </HTML>”);

       out.close ();

    }

}

Output:   Two cookies are set named: name and email    

The Hypertext Transfer Protocol (HTTP) is the network protocol that the web servers and the client browsers use to communicate with each other. The HTTP is a stateless protocol. A client browser opens a connection and requests for a resource from the web server. The web server then responds with a requested resource and closes the connection.

After closing the connection, the web server does not remember any information about the client. So any next request from the same client will be treated as a fresh request without any relation to the previous request. This is what makes HTTP a stateless protocol. This protocol works fine for simple web browsing where each request typically results in an HTML file being sent back to the client. This is because web server does not need to know whether a series of requests came from the same client or from a different client. However, maintaining state is important in just about any web application. The appropriate example is a shopping cart where user select items, add them to their shopping cart and continue shopping. If you want to associate a shopping cart with a user over multiple page requests, then you need some method of maintaing state. One way of maintaing state is to use cookies.

Cookies are small textual files that a web server may send to the user’s web browser which in turn saves it to the hard disk (or if they are temporary in the web browser’s memory). The server sends the cookie to the browser in response to an initial request. Subsequent request sends the same cookie back to the server, which enables the server to identify these requests as being from the same client. By letting the server read information it send to the client previously, the site can provide visitors with a numbers of benefits such as,

• Saving login identity i.e. user names.

• Customizing sites : Many web sites now have pages where users can customize what they see when they arrive. After giving the user choice of layouts and color schemes, the site stores the preferences on the client’s computer through the use of cookies. The user can return to the site at any time and get the previously configured page.

• Identifying a user during e-commerce session.

• It let sites remember which topics interest certain users and show advertisements relevant to those interests.

• Frequent visitor bonuses.

• Bookmarks : Cookie let the use remember where he was when he last visited the site.

• Games : Cookie let remember the current or highest scores and present new

  challenges based on past answers and performance.

In the simplest form, cookies store data in the form of name-value pairs with certain additional attributes which are exchanged in the response and request headers. Each attribute/value pair is separated by a semicolon. The web servers send a cookie by sending the user-cookie response header in the following format

set-cookie: Name= Value; Comment= COMMENT; Domain= DOMAINNAME;

Max-age= SECONDS         ; Path= PATH; Secure; Version = 1*DIGIT

Here,

• Name is the name of the cookie.

• Value is the value this name can hold.

• Comment is an optional parameter that specifies the purpose associated with the cookie.

• Domain is an optional parameter that is used to specify the domain to which the cookie will be sent in future requests. By default, it is the host name of the domain that has sent the set-cookie header.

• Max-age is an optional parameter that specify how long (in seconds) the browser should keep the cookie before it expires.

• Path is an optional parameter that specifies the URL path for which the cookie

 is valid.

• The Secure parameter specifies whether the cookie should be sent only over a

  secure connection (HTTPS). By default its value is false.

In Java, cookies are created and manipulated via the javax.servlet.http.Cookie class. This class provides numerous methods. Some of the most commonly used ones are,

                                            Some methods of Cookie class