Invalidating the existing session and creating new session in servlets

The Session Tracking API, as we call the portion of the Servlet API devoted to session tracking, should be supported in any web server that supports servlets.

The level of support, however, depends on the server.

invalidating the existing session and creating new session in servlets-86invalidating the existing session and creating new session in servlets-13

Fortunately for us servlet developers, it's not always necessary for a servlet to manage its own sessions using the techniques we have just discussed.

The Servlet API provides several methods and classes specifically designed to handle session tracking on behalf of servlets.

Other implementations, such as using SSL (Secure Sockets Layer) sessions, are also possible.

A servlet can discover a session's ID with the should be held as a server secret because any client with knowledge of another client's session ID can, with a forged cookie or URL, join the second client's session.

There are several methods involved in managing the session life cycle: This method returns whether the session is new.

A session is considered new if it has been created by the server but the client has not yet acknowledged joining the session.

The Servlet API provides two methods to perform this encoding: This method encodes (rewrites) the specified URL to include the session ID and returns the new URL, or, if encoding is not needed or not supported, it leaves the URL unchanged.

The rules used to decide when and how to encode a URL are server-specific.

All URLs emitted by a servlet should be run through this method.

This method encodes (rewrites) the specified URL to include the session ID and returns the new URL, or, if encoding is not needed or not supported, it leaves the URL unchanged.

Note that installing this servlet is a security risk, as it exposes the server's session IDs--these may be used by unscrupulous clients to join other clients' sessions.

Tags: , ,