How is HttpSession Stored in the Servlet Framework

Question

This is a pretty remedial question. I have not used the HttpSession class before. I am reading this tutorial, and I see that the session is a property of the HttpServletRequest.

public void doGet(HttpServletRequest req, HttpServletResponse res)
    throws ServletException, IOException {

    // get current session, or initialise one if none
    HttpSession sess = req.getSession(true);
}

My question is, how does the session get stored? On the client? In the past I have been accustomed to storing the session server / database side. How does this work? If I update the session on a given request, will that always be reflected through subsequent calls? Is the session stored on the client?

Session is not stored on the client, but a `session key` which uniquely identifies the session data on server side. The 'key' data usually stored on client side using cookies or request header. — K139, May 04 '15 at 14:40
So how do they get data from this method call, in the tutorial? ` String username = req.getParameter("username");` — David Williams, May 04 '15 at 14:41
Your server/container will execute this statement on `server side` before sending the plain text via HTTP/HTTPS message. So your `server` knows what session to associate a particular request with. It's part of the server standard. — K139, May 04 '15 at 14:43
@DavidWilliams That has nothing to do with the session, that's a request parameter. — Dave Newton, May 04 '15 at 14:43
You need to store the session details in database if it's Stateless-session. If it's a statefull session, you can just handle by storing the session in HttpSession and also storing it in the browser cookie, then comparing it for every action. — The Coder, May 04 '15 at 14:43
@DavidWilliams if cookies are disabled on client where jSessionId will be stored? — Irfan Nasim, Oct 11 '16 at 05:29

score 4 · Answer 1 · answered May 04 '15 at 14:54

how does the session get stored? On the client? In the past I have been accustomed to storing the session server / database side. How does this work?

A session can be defined as a server-side storage of information that is desired to persist throughout the user's interaction with the web site or web application.

Is the session stored on the client?

Instead of storing large and constantly changing information via cookies in the user's browser, only a unique identifier is stored on the client side (called a "session id"). This session id is passed to the web server every time the browser makes an HTTP request (ie a page link or AJAX request). The web application pairs this session id with it's internal database and retrieves the stored variables for use by the requested page.

when ever getSession() method is called it returns session if exists else it create a new session.apart from creating a session it does 5 things which you wont do.

You don’t make the new HttpSession object yourself.
You don’t generate the unique session ID.
You don’t make the new Cookie object.
You don’t associate the session ID with the cookie.
You don’t set the Cookie into the response

All the cookie work happens behind the scenes.

If I update the session on a given request, will that always be reflected through subsequent calls?

yes it effects the subsequent calls.

If it is not stored on the client, and I have multiple servers, and no stickiness of session on a load balancer, how would modifications to the session object be reflected through multiple calls? — David Williams, May 04 '15 at 14:57
@DavidWilliams : in that case you would get undefined behaviour with one session per server without knowing what server is hit. But having multiple servers for same URL without special session processing (sticky sessions or shared sessions) would definitively be a server misconfiguration ! — Serge Ballesta, May 04 '15 at 15:01
@DavidWilliams if cookies are disabled on client where jSessionId will be stored? — Irfan Nasim, Oct 11 '16 at 05:33

score 3 · Answer 2 · answered May 04 '15 at 14:41

3

With a session cookie, or if cookies are disabled you're able to see the telltale JSESSIONID parameter. This was at least the case a while ago, and I shouldn't think it has changed.

answered May 04 '15 at 14:41

Kayaman

72,141
5
83
121

So this a session object stored on the client, is that correct? – David Williams May 04 '15 at 14:42
1

@DavidWilliams No, it's a session ID, used to retrieve the session on the server. – Dave Newton May 04 '15 at 14:42
So in the tutorial the very next call after `getSession` is `String username = req.getParameter("username");` Where did that data come from? – David Williams May 04 '15 at 14:43
@DavidWilliams From the URL, as a request parameter. – Kayaman May 04 '15 at 14:44
1

This is a request parameter comming from the URL: http//server:port/myApp/myServlet?username=Peter – swinkler May 04 '15 at 14:44

score 2 · Answer 3 · answered May 04 '15 at 14:43

The HttpSession is by default stored in memory and created/maintained by the web server (jetty, tomcat, ...). Depending on the web server you use you might have options like storing session information into the database.

Here is the tomcat documentation for the session manager[1]

[1] https://tomcat.apache.org/tomcat-7.0-doc/config/manager.html

How is HttpSession Stored in the Servlet Framework

3 Answers3