Java Reference
In-Depth Information
There is nothing special about the session id that you see above. There are no hidden
meanings behind the stream of letters and numbers that you see. The session id was ran-
domly created to serve as a unique identifier.
A session is assigned after a successful user login. The session will remain with the user
until he logs off the system. If the user does not log off the system, their session will usually
expire in some preset time. Having their session expire is no real problem to the user, they
are simply asked to re-login to the system.
You have likely already seen session timeouts while using the web. Consider when you
log into a web server to check your mail, and then leave the window open overnight. When
you try to use the window again in the morning, you will likely be told that you session has
“timed out”. This is because too much time elapsed, and the web server deleted your ses-
sion.
When a website uses sessions through the URL, the session variable must be passed to
every page on the website. You will always see the session id at the top of the page. If you
remove the session part of the URL, or modify it slightly, the site will immediately take you
back to the login page. Without a valid session id, you cannot use the site.
One limitation of using the URL to maintain state, is that the session id must be placed
on every link generated by the site. Because of this, if even one page removes the session id,
the session will be lost. Additionally, if the user temporarily closes the browser, and returns
to the site, the state is also lost. If the user types in the session id as part of the URL when
they attempt to re-access the site, the state would not be lost; however, this is not likely to be
the case.
Cookies for State
A session id on the URL line is not the only way to maintain state. Cookies can also be
used to maintain state. Cookies are different from using the URL to maintain state, in that
cookies are invisible to the user. Cookies are stored as part of the request and response head-
ers. Cookies are nothing more than name value pairs. Cookies exist within a specified domain
and no two cookies in the same domain can have the same name.
To see cookies in action visit the following URL:
http://www.httprecipes.com/1/8/cookie.php
When you access this page you will see a form that allows you to login. To use this form,
you should login with the user ID of “falken” and the password of “joshua”. Once you are
logged in, a cookie will be established with your browser. You will not be able to see this
cookie. The cookie is contained inside of the headers of both the request and the response.
To see how the cookie is created, we must examine the response that the server sends back
when you login to the site. You can see this response here:
