Session Tracking

HTTP is a stateless protocol, that is, it provides no way for a server to recognize that a sequence of requests are all from the same client.

To allow the server to track state, the client must identify itself as it makes each request.

User Authorization

One way to perform session tracking is to leverage the information that comes with user authorization.

User authorization occurs when a web server restricts access to some of its resources to only those clients that log in using a recognized username and password. After the client logs in, the username is available to a servlet through getRemoteUser().

Once a user has logged in, the browser remembers the username and resends the name and password as the user views new pages on the site. A servlet can identify the user through the username and thereby track the session.

Hidden Form Fields

One way to support anonymous session tracking is to use hidden form fields. You can include hidden form fields with session identification codes:

<input type=hidden name="session_id" value="94040qxy">

The advantages of hidden form fields are their ubiquity and support for anonymity. Hidden fields are supported in all the popular browsers, they demand no special server requirements, and they can be used with clients that have not registered or logged in.

The major disadvantage is that it works only for a sequence of dynmamically generated forms. The technique breaks down with static documents, emailed documents, bookmarked documents, and browser shut-downs.

URL Rewriting

With URL rewriting, every local URL the user might click on is dynamically modified, or rewritten, to include extra information. Examples of extra information include extra path information, query strings, added parameters, or some custom, server-specific URL change. Due to limited space available in rewriting a URL, the extra information is usually limited to a unique session ID.

Persistent Cookies

A cookie is a bit of information sent by a web server to a browser that can later be read back from that browser. When the browser receives a cookie, it saves the cookie and thereafter sends the cookie back to the server each time it accesses a page on that server.

Cookies offer a simple, elegant way to implement session tracking. The biggest problem is that browsers don't always accept cookies. Users have the option to disable cookies (out of privacy concerns, perhaps).

Session Tracking API

The Servlet API provides several methods and classes specifically designed to handle session tracking on behalf of servlets.


Maintained by John Loomis , last updated 22 Feb 2001