Servlets Session Tracking - Java Servlets

What is Servlets Session Tracking?

HTTP is a "stateless" protocol which means each time a client recovers a Web page, the client unlocks a separate connection to the Web server and the server mechanically does not keep any record of earlier client request.

Still there are resulting three ways to uphold session between web client and web server −


A webserver can allot a unique session ID as a cookie to each web client and for following needs from the client they can be standard using the received cookie.

This may not be an active way because numerous time browsers do not support a cookie, so I would not recommend using this process to maintain the sessions.

Hidden Form Fields

A web server can send a hidden HTML form field beside with a unique session ID as follows –

This access means that, when the form is submitted, the definite name and value are automatically comprised in the GET or POST data. Each time when web browser sends request back, then session_id value can be used to keep the track of different web browsers.

This can be an effective way of keeping track of the session but clicking on a regular (<A HREF...>) hypertext link does not result in a form submission, so hidden form fields also cannot support overall session tracking.

URL Rewriting

You can add some extra data on the end of each URL that classifies the session, and the server can associate that period identifier with data it has stored about that session.

For instance, with;sessionid = 12345, the session identifier is attached as sessionid = 12345 which can be opened at the web server to classify the client.

URL rewriting is a better way to uphold sessions and it works even when browsers don't support cookies. The disadvantage of URL re-writing is that you would have to generate every URL dynamically to assign a session ID, even in case of a simple static HTML page.

The HttpSession Object

Separately from the above stated three ways, servlet offers HttpSession Interface which offers a way to classify a user thru more than one page request or visit to a Web site and to store information about that user.

The servlet container uses this interface to generate a session between an HTTP client and an HTTP server. The period continues for a stated time period, thru more than one connection or page request from the user.

You would get HttpSession object by calling the public method getSession()of HttpServletRequest, as below –

You need to call request.getSession() earlier you send any document content to the client. Here is a summary of the vital methods accessible through HttpSession object –


Method & Description


public Object getAttribute(String name)

This method returns the object bound with the specified name in this session, or null if no object is bound under the name.


public Enumeration getAttributeNames()

This method returns an Enumeration of String objects containing the names of all the objects bound to this session.


public long getCreationTime()

This method returns the time when this session was created, measured in milliseconds since midnight January 1, 1970 GMT.


public String getId()

This method returns a string containing the unique identifier assigned to this session.


public long getLastAccessedTime()

This method returns the last accessed time of the session, in the format of milliseconds since midnight January 1, 1970 GMT


public int getMaxInactiveInterval()

This method returns the maximum time interval (seconds), that the servlet container will keep the session open between client accesses.


public void invalidate()

This method invalidates this session and unbinds any objects bound to it.


public boolean isNew(

This method returns true if the client does not yet know about the session or if the client chooses not to join the session.


public void removeAttribute(String name)

This method removes the object bound with the specified name from this session.


public void setAttribute(String name, Object value)

This method binds an object to this session, using the name specified.


public void setMaxInactiveInterval(int interval)

This method specifies the time, in seconds, between client requests before the servlet container will invalidate this session.

Session Tracking Example

This instance defines how to use the HttpSession object to find out the creation time and the last-accessed time for a session. We would assistant a new session with the request if one does not already exist.

Compile the overhead servlet SessionTrack and create appropriate entry in web.xml file. Now running http://localhost:8080/SessionTrack would display the following result when you would run for the first time −

Welcome to my website

Now try to run the same servlet for second time, it would display following result.

Welcome Back to my website

Deleting Session Data

When you are complete with a user's session data, you have numerous options −

  • Remove a particular attribute − You can call public void removeAttribute(String name) method to delete the value associated with a particular key.
  • Delete the whole session − You can call public void invalidate()method to discard an entire session.
  • Setting Session timeout − You can call public void setMaxInactiveInterval(int interval) method to set the timeout for a session individually.
  • Log the user out − The servers that support servlets 2.4, you can call logout to log the client out of the Web server and invalidate all sessionsbelonging to all the users.
  • web.xml Configuration − If you are using Tomcat, apart from the above mentioned methods, you can configure session time out in web.xml file as follows.

The timeout is conveyed as minutes, and overrides the default timeout which is 30 minutes in Tomcat.

The getMaxInactiveInterval( ) method in a servlet returns the timeout period for that session in seconds. So if your session is configured in web.xml for 15 minutes, getMaxInactiveInterval( ) returns 900.

All rights reserved © 2020 Wisdom IT Services India Pvt. Ltd Protection Status

Java Servlets Topics