1

I am new to Java EE. I have a site which requires a user to log in, and after the user logs in I would like the user to see his/her own item (e.g: shopping cart).

So that means I have to use a session to accomplish that. But how do I deal with multiple sessions?

For example multiple users login to the system as well as to the same servlet? However, can I keep multiple sessions in one servlet? Do I keep a record of each of them? How does it work?

Can someone give an example please ?

Arjan Tijms
  • 37,782
  • 12
  • 108
  • 140
peter
  • 8,333
  • 17
  • 71
  • 94
  • the sessions are saved on the server, not on the servlet – Luiggi Mendoza Jul 10 '12 at 14:13
  • How does that work ? can you briefly explain it please – peter Jul 10 '12 at 16:06
  • 1
    For a better guidance on this issue, BalusC has a very great answer. See this question http://stackoverflow.com/q/3106452/1065197 – Luiggi Mendoza Jul 10 '12 at 16:24
  • 1
    Also, for these kind of questions, you do some research in the stackoverflow wiki and look some questions here. There is great people who have give great answers for almost all the basic concepts on Java SE, Java EE and other technologies/frameworks. – Luiggi Mendoza Jul 10 '12 at 16:26

3 Answers3

10

In servlet you have access to HttpServletRequest which provides you with a getSession() method. This methods returns session object (essentialy a key-value map), different for each user.

If you put something into that map (like shopping cart), you can retrieve it later - but only when the same user accesses the application again (not necessarily the same servlet).

public void doGet(HttpServletRequest request, HttpServletResponse response)
      throws IOException, ServletException {

    HttpSession session = request.getSession();
    session.getAttribute("cart");
    //...
    session.setAttribute("cart", whateverYouWant);

Sessions are maintained in the servlet container and looked up by session id (typically a cookie). You don't have to implement anything yourself.

Tomasz Nurkiewicz
  • 334,321
  • 69
  • 703
  • 674
  • How do you determine and know if the request is coming from the same user ? by checking the session Id ? or a user-defined attribute ? – peter Jul 10 '12 at 14:17
  • I think OP question is more about having multiple sessions. Could be possibly from different browser. If it is from same browser and cookies enabled, then this make sense. – kosa Jul 10 '12 at 14:18
  • @user1389813 the servlet container will handle this for you as long as the session has not been destroyed (`session.destroy()` or user closes browser, or session times out) – ametren Jul 10 '12 at 14:19
  • @user1389813: that's the beauty of servlets: just put something in the session and read it back when the same user enters your application (as long as the session didn't time out). If other user tries to read the session, he gets his copy. Each user has own session identified transparently by JSESSIONID cookie (typically). – Tomasz Nurkiewicz Jul 10 '12 at 14:24
  • Ok, 2 questions: (1) Does this mechanism work if I have multiple tabs (same browser) browsing the same site, and one of them is already login ? (2) is it possible to fake the session id ? i mean is it secure in a sense of not being re-used and copied from the cookie ? – peter Jul 10 '12 at 14:29
  • 2
    @user1389813: yes, it works across tabs, but not necessarily across different browser windows (and of course different browsers will have different sessions). There are several attacks against session cookies and several approaches to mitigate them, e.g. HttpOnly flag. However this approach for session handling is most commonly used... everywhere. – Tomasz Nurkiewicz Jul 10 '12 at 14:31
  • Will https help in that case i am wondering for session cookies ? – peter Jul 10 '12 at 14:35
  • @user1389813: HTTP is always a good idea. It will help with cookies as their contents will be encrypted. – Tomasz Nurkiewicz Jul 10 '12 at 15:35
  • You mean HTTPS or HTTP ? – peter Jul 10 '12 at 15:45
  • @user1389813: of course HTTPS, sorry, can't edit so late – Tomasz Nurkiewicz Jul 10 '12 at 15:52
3

Yes you can. The servlet container will keep track of them for you, so you shouldn't have to do that bookkeeping yourself. The Session object can be obtained from the HttpServletRequest in your servlet code. Since your code only has to concern itself with a single request at a time, there's generally not much pain in dealing with multiple sessions.

Ian McLaird
  • 5,507
  • 2
  • 22
  • 31
0

To deal with multiple users login in Servlets, create a session for each login as

HttpSession session = request.getSession();

public HttpSession getSession() returns the current session associated with this request, or if the request does not have a session, creates one.

Each session will identify the users uniquely.

Now if user wants to change some data that is in database then after creating session, set attribute with that session with the information which can uniquely identify the user in database, for e.g. email_id as:

session.setAttribute("id",email_id of user);

This attribute can be retrieved later in another Servlet/JSP as:

String email_id = session.getAttribute("id");

This attribute will help in identifying the user who has sent request to server to update data in database or to do something else. For more methods related to the session, refer the link: http://www.javatpoint.com/http-session-in-session-tracking

Dhruvam Gupta
  • 482
  • 5
  • 10