Featured Post

Event Sourcing Video from Michael Ploed

Event Sourcing I want to share a great video I found few days ago that describes very well what Event Sourcing is.

Monday, September 24, 2012

SessionCookie vs URL Rewriting

In this post I will write about HTTP Session in a Web Application. There are a few ways to design session:
  • Store session ID in cookie file
  • Store session ID in the URL

Session Cookie

HTTP Session can be considered as a server area to store information that have to be shared over multiple HTTP requests.
The server uses the session identifier sent by the client to identify the session which the client belongs to. The server reads that ID in order to refer to the session data used by that client.
Generally the session identifier is on the client browser and it's sent to the server, but when the browser windows are closed, the browser deletes the session identifier.
Session IDs are usually stored in a cookie called Session cookie
Session ID is assigned when a new Session is created. Generally this happened:
  • When it's the first time access to the server;
  • When the browser is closed and the cookie is deleted;
  • When the server terminates a session after a few minutes of inactivity.

URL Rewriting

URL Rewriting is a mechanism that allows the server to associate an HTTP request to a stored session on the server when a client disables cookie storing.
Server uses the ID send with the URL to track sessions. For example an URL like this:
   <a href="/add/link">ADD LINK</a>
is rewritten into
    <a href="/add/link;jsessionid=DA22145SSGE2">ADD LINK</a>
The web server extracts jsessionid from the URL to obtain the reference to the HttpSession. To produce this translaction you can use encodeURL() and encodeRedirectURL()

Let's suppose to have a servlet EncodeUrlServlet.

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
 xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">



package com.simonefolinoblogspot.servlet;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

public class EncodeUrlServlet extends HttpServlet{

 private static final long serialVersionUID = 6167525405783177839L;

 protected void doGet(HttpServletRequest req, HttpServletResponse resp)
   throws ServletException, IOException {
  // if no session is found, a new one is created
  HttpSession session = req.getSession(true);
  System.out.println("session id="+session.getId());
  String actionURL="/session-encodeurl/encode.do";
  req.getRequestDispatcher("/jsp/encode.jsp").forward(req, resp);




 <a href="<%=request.getAttribute("actionURL")%>">Call Again </a>


If you disable the cookies on your browser and ask for http://<hostname>/<context>/encode.do you are forwarded to encode.jsp that prints the HTML written below.



 <a href="/session-encodeurl/encode.do;jsessionid=820F618F79E21B5E541CE129C0E0EFE5">Call Again </a>


No comments :

Post a Comment