Java Platform, Enterprise Edition (Java EE) 8
The Java EE Tutorial
Many applications require that a series of requests from a client be associated with one another. For example, a web application can save the state of a user’s shopping cart across requests. Web-based applications are responsible for maintaining such state, called a session, because HTTP is stateless. To support applications that need to maintain state, Java Servlet technology provides an API for managing sessions and allows several mechanisms for implementing sessions.
Sessions are represented by an
HttpSession object. You access a
session by calling the
getSession method of a request object. This
method returns the current session associated with this request; or, if
the request does not have a session, this method creates one.
You can associate object-valued attributes with a session by name. Such attributes are accessible by any web component that belongs to the same web context and is handling a request that is part of the same session.
Recall that your application can notify web context and session listener objects of servlet lifecycle events (Handling Servlet Lifecycle Events). You can also notify objects of certain events related to their association with a session, such as the following.
When the object is added to or removed from a session. To receive this
notification, your object must implement the
When the session to which the object is attached will be passivated or
activated. A session will be passivated or activated when it is moved
between virtual machines or saved to and restored from persistent
storage. To receive this notification, your object must implement the
Because an HTTP client has no way to signal that it no longer needs a
session, each session has an associated timeout so that its resources
can be reclaimed. The timeout period can be accessed by using a
To ensure that an active session is not timed out, you should periodically access the session by using service methods because this resets the session’s time-to-live counter.
When a particular client interaction is finished, you use the
invalidate method to invalidate a session on the server side
and remove any session data.
To set the timeout period in the deployment descriptor using NetBeans IDE, follow these steps.
Open the project if you haven’t already.
Expand the node of your project in the Projects tab.
Expand the Web Pages and WEB-INF nodes that are under the project node.
Click General at the top of the editor.
In the Session Timeout field, enter an integer value.
The integer value represents the number of minutes of inactivity that must pass before the session times out.
To associate a session with a user, a web container can use several methods, all of which involve passing an identifier between the client and the server. The identifier can be maintained on the client as a cookie, or the web component can include the identifier in every URL that is returned to the client.
If your application uses session objects, you must ensure that session
tracking is enabled by having the application rewrite URLs whenever the
client turns off cookies. You do this by calling the response’s
encodeURL(URL) method on all URLs returned by a servlet. This method
includes the session ID in the URL only if cookies are disabled;
otherwise, the method returns the URL unchanged.