SE 452 Notes Set 6

SE 452 Fall 2001/2002

Lecture Notes Set 6

Maintaining States

HTTP protocol is stateless
Each request is handled independently of any other
HTTP server does not keep track of visit histories of user actions or state of the client
Many apps need to maintain state of users:
- shopping car
- one-click ordering
- personalization
- focused advertising

Maintaining States in Servlets

Servlets depend on some other mechanism to manage state
- cookies
- sessions
- databases

Cookies

Cookies are small amounts of data that
- the server sends to the client
- the client sends back to the server on every request that the client makes
Cookies are in of the form of name-value pairs
Cookies are stored on the client's machine
Client returns the data to the server when is connects to the same site, domail or URL.
Cookies can be disabled in the browser

Using Cookies

The issue is privacy, not security
- server keeps track of your actions
- servers may share cookie information with a third party
- improper use of cookies may leave your sensitive info vulnerable
- security loops holes may let hostile sites steal cookies in some browsers
Rules of thumb
- Don't depend on cookies being enabled
- Don't put sensitive info into cookies

Cookie Restrictions

The browser may restrict the use of cookies
- cookies may be disbled
- the number of cookies for each site may be limited (20)
- total number of cookies may be limited (300)
- size of the cookie may be limimted (4KB)
- IE 6 has a bunch of new cookie rules

Cookie API

Add cookies using HTTPServletResponse
- void addCookie(Cookie newCookie)
Retrieve cookies using HTTPServletRequest
- Cookie[] getCookies()
Cookies class
- name-value pair
- Constructor: Cookie(String name, String value)
  - name of the cookie can not be changed once created(immutable)
- String getName() - gets name of cookie
- String getValue() - gets the value of the cookie
- void setValue(String newValue) - sets the value of the cookie
- Maximum age of a cookie - int getMaxAge() and void setMaxAge(int age)
  - how much time should elapse before cookie expires
  - measured in seconds
  - 0 value causes cookie to expire immediately
  - -1 (default) causes cookie to live until browser is shut down
- Domain name of cookie - String getDomain() and void setDomain(String url)
  - Domain in which the cookie is visible
  - Cookie is visible to all servers in the specified domain
  - By default, cookies are only returned to server that sent them
- Cookie path - String getPath() and void setPath(String url)
  - Path under which cookie is visible
  - Path on the server to which the browser returns the cookie
  - Cookie is visible to all pages in the directory and all subdirectories
  - Path must include the servlet that set the cookie
- Other methods
  - boolean getSecure()/void setSecure(boolean flag) - only send cookies over secure protocol
  - String getComment()/void setComment(String comment) - comment describing purpose of cookie
  - int getVersion()/void setVersion(int version) - version of this protocol that cookie complies with

Java Expo Version 2.0 using Cookies

Link on examples page
Source code on examples page
Add direct login support (like My Yahoo, etc)
- Store user names and passwords in passwd.cfg file
- Store passwd.cfg file under WEB-INF directory to prevent tampering
- Load passwd.cfg using ServletContext class
  - used to communicate with the servlet container
  - one context per web app per Java Virutal Machine
Logout without disabling direct login
Login without supplying user name and password

Session Tracking

Session is a series of exchanged between the client and the server to accomplish certain tasks.
Session tracking is a mechanism for the server to keep track of the history and/or the accumulative results of the actions by the client.
Approaches to session tracking:
- URL rewriting
- Cookies
- Hidden fields

Session Tracking Approaches

Server assigns a unique identifier to each client called the session ID.
Client identifies itself with the session ID in each request.
Mechanisms to send session ID:
- URL rewriting - session info is encoded into the URLs in the response
  - http://www.xyz.com/catalog.html:jsessionid=1234
- Cookies - session info is stored as cookies
  - response.addCookie(new Cookie("jsessionid", "1234"));
- Hidden fields - server adds hidden fields to store the session info
  - < input type="hidden" name="jsessionid" value="1234">

Session Tracking in Servlets

Java provides a high-level API for session tracking
HttpSession class represents a set binding of names and session objects
Session objects are stored on the server
Session ID's are sent to the client via either
- Cookies if the client has them enabled
- URL encoding if cookies are disabled by the client
The decision is made by the servlet container and is transparent to servlets

HTTP Session

Scope of HttpSession is the entire web application
Session persists for a specified time period, across more than one connection or page request from the user.
Programming concerns:
- Servlets should accommodate both mechanisms - call encodeURL() for all URL's
- Objects stored in session should be serializable
- Multiple threads may have access to a single session object

Session API

HttpServletRequest
- HttpSession getSession()
- HttpSession getSession(boolean create)
  - Returns current session or creates new session if create is true (default)
- String getRequestedSessionId() - returns the session ID
HttpServletResponse
- String encodeURL(String url)
  - Encodes the specified URL by including the session ID or may return URL unchanged
HttpSession
- void setAttribute(String name, Object value)
  - Binds an object to the specified name in this session
- Object getAttribute(String name)
  - Returns the object bound to the specified name in the session or null if name does not exist
- void removeAttribute(String name)
  - Removes the binding with the specified name from the session
- String getId() - return the session ID
- Enumeration getAttributeNames()
  - Returns an Enumeration of the String objects for the bindings of this session
- long getCreationTime() - returns time when session was created
- long getLastAccessedTime() - returns the last time the client sent a request associated with this session
- int getMaxIncativeInterval()
  - Returns the maximum time interval, in seconds, that the servlet container will keep this session open between client accesses
  - Tomcat default: 30 minutes
- void setMaxIncativeInterval(int interval)
  - set the time interval before a servlet container invalidates a session
  - a negative time indicates that the session should never expire
- void invalidate()
  - Invalidate this session and unbind any objects in this session
- boolean isNew()
  - Returns true if the client does not know about the session or the client chooses not to join the session

Java Expo Version 2.0 using Sessions

Link on examples page
Source code on examples page
Use sessions to select presentations
A registered user may choose one or more presentations to attend
A presentation has a unique ID, title and time
Presentation data is stored in presentation.dat