Java Reference
In-Depth Information
Session identification - A server must be able to maintain the client's identity over the lifetime of the
application.
Session representation - Depending on the needs of the application, one or more session objects might be used
to represent state.
Benefits and Drawbacks
The central benefits of the Session pattern are evident from its characteristics: identifying service requesters and
maintaining state-based resources. Secondary advantages might exist, as well, depending on the model chosen for
implementing the pattern. For instance, if client identity is established as a result of a login, the Session can
manage accountability and prioritization when accessing server-side resources. If Session information is stored in
a database, the server can maintain information about a client's state over a series of business transactions.
A drawback of the Session is its increased workload on the server, and the increased complexity required of
server software. Beyond its normal requirements, a Session-based server must have some way to establish client
identity, store and retrieve associated information, and validate client identity on a number of occasions during
the application.
Pattern Variants
The principal variations of the Session center around the key issues of identity and state.
Managing session identity
- You can use three approaches:
Security-based identification - A login provides a session ID for the client.
Implicit identification - A long-term connection between client and server automatically validates identity.
Arbitrary identification - The server assigns a unique session ID to each client. The ID is arbitrary and is used
only to track a client during a single use of the server.
Managing session state
- In Sessions where state is required, you can maintain information in the following
ways, on the client or the server:
Object-based storage, client side - The client takes responsibility for data storage and sends what is required to
the server. This reduces overall application security; data is present on a client, potentially a less secure machine.
However, it is easy to associate the data with a client, since the client stores the information and sends it to the
server. Another benefit of this approach is that it reduces the load on the server, requiring a client application to
store its own data.
How this is implemented varies depending on your technology; in HTTP, this approach is implemented using
cookies.
Object-based storage, server side - The server stores any data for its clients, and uses what is required during
client requests. The server maintains all the application data, so there is a heavier load on the server. However,
overall system security tends to be higher since data is maintained on the server. System efficiency is usually
higher as well, since there is no redundant transfer of data. The challenge that you might face with server-side
storage lies in establishing client identity, since the client and its data are decoupled in the application.
In HTTP and Java, this approach means using
HttpSession
.
Related Patterns
None.
Example
Note:
For a full working example of this code example, with additional supporting classes and/or a
RunPattern
class,
