Servlet Session Management
Session Management Techniques
HTTP is stateless, so web applications need mechanisms to track users across requests. Servlets support four techniques:
| Technique | Storage | Pros | Cons |
|---|---|---|---|
| HttpSession | Server-side | Secure, large data | Server memory usage |
| Cookies | Client-side | Persistent, no server memory | Size limit (4KB), security risks |
| URL Rewriting | URL parameter | Works without cookies | Ugly URLs, security risk |
| Hidden Fields | HTML form | Simple | Only works with forms |
@WebServlet("/session-demo")
public class SessionServlet extends HttpServlet {
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
String username = req.getParameter("username");
// Get or create session
HttpSession session = req.getSession(true);
// Store data
session.setAttribute("username", username);
session.setAttribute("loginTime", new java.util.Date());
session.setAttribute("role", "user");
// Configure session
session.setMaxInactiveInterval(30 * 60); // 30 minutes timeout
// Session info
String sessionId = session.getId();
boolean isNew = session.isNew();
long creationTime = session.getCreationTime();
long lastAccess = session.getLastAccessedTime();
resp.setContentType("text/html;charset=UTF-8");
PrintWriter out = resp.getWriter();
out.println("<p>Session ID: " + sessionId + "</p>");
out.println("<p>Is New: " + isNew + "</p>");
out.println("<p>Username: " + session.getAttribute("username") + "</p>");
}
@Override
protected void doDelete(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
// Logout: invalidate session
HttpSession session = req.getSession(false);
if (session != null) {
session.invalidate();
}
resp.sendRedirect(req.getContextPath() + "/login");
}
}Cookies in Servlet
@WebServlet("/cookie-demo")
public class CookieServlet extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
// ===== Create Cookie =====
Cookie userCookie = new Cookie("username", "Alice");
userCookie.setMaxAge(7 * 24 * 60 * 60); // 7 days
userCookie.setPath("/");
userCookie.setHttpOnly(true); // Prevent XSS
userCookie.setSecure(true); // HTTPS only
resp.addCookie(userCookie);
// ===== Read Cookies =====
Cookie[] cookies = req.getCookies();
String username = null;
if (cookies != null) {
for (Cookie c : cookies) {
if ("username".equals(c.getName())) {
username = c.getValue();
break;
}
}
}
// ===== Delete Cookie =====
Cookie deleteCookie = new Cookie("username", "");
deleteCookie.setMaxAge(0); // Expire immediately
deleteCookie.setPath("/");
// resp.addCookie(deleteCookie); // Uncomment to delete
// ===== URL Rewriting (fallback when cookies disabled) =====
String encodedUrl = resp.encodeURL(req.getContextPath() + "/profile");
// Appends ;jsessionid=... if cookies are disabled
resp.setContentType("text/html;charset=UTF-8");
PrintWriter out = resp.getWriter();
out.println("<p>Username from cookie: " + username + "</p>");
out.println("<a href='" + encodedUrl + "'>My Profile</a>");
}
}Ready to Level Up Your Skills?
Explore 500+ free tutorials across 20+ languages and frameworks.