Session Management

Sessions and Listeners

Technique: Error Handling in Servlets

#Session #UrlRewriting #HiddenForm

#SessionTracking #Cookie
#ShoppingCart #ErrorHandle
#JSP

05/23/2024
 Review
• JSP
– JSP Syntax
• Comment
• Scripting Element: declaration, scriptlets, expression
• Directives (page, include, taglib)
– JSP Life Cycles
– JSP Implicit Object
• MVC Pattern
– No MVC
– MVC 1
– MVC 2
05/23/2024
 Objectives

• Build the Web Application?

– Session Tracking Techniques
– Break down structure component in building web
application
• Techniques: Error Handling in Servlets
– Reporting Errors
– Logging Errors
– Users Errors vs. System Errors

05/23/2024
 Build a Web App
Expectation

05/23/2024
 Sessions & Listeners
Session
• Is the period of connection between client and server
• Is a group of activities that are performed by a user while
accessing a particular web site
• HttpSession are virtual connection between client and
server
• Web container reserves an individual memory block for
storing information about each session → Session
objects.
• The session tracking (mechanism)
– Serves the purpose tracking the client identity and other state
information required throughout the session
– Allows the server to keep a track of successive requests made
by same client
– Allows the customer to maintain the information with the
server as long as the customer does not log out from the website
05/23/2024
 Sessions & Listeners
Session Tracking Techniques
• URL Rewriting
• Hidden form field
• Cookies
• HttpSession interface

05/23/2024
 Sessions & Listeners
URL Rewriting

• Maintains the state of end user by modifying the URL.

• Adds some extra data at the end of the URL
• Is used when the information to be transferred is not critical.
• Syntax: url?query_string
• Ex
– <a href=“http://localhost:8080/Books?category=java”> Java Books </a>
– <form action=“http://localhost:8080/UpdateProfile?uid=123” method=“get”>
---------- </form>
• Disadvantages:
– Server side processing is tedious.
– Every URL that is returned to the user should have additional information
appended to it.
– If the user leaves the session and opens the Web page using a link or
bookmark then the session information is lost.
– The query string is limited

05/23/2024
 Sessions & Listeners
Hidden Form Fields
• Simplest technique to maintain the state of an end user.
• Insert the session identifier into the hidden form field in the HTML of each page
• Embedded the hidden form field in an HTML form and not visible when you
view an HTML file in a browser window.
• The session information can be extracted by the application by searching for these
fields. The servlets or JSP pages read the field using request.getParameter().
• Syntax
<input type=“hidden” name=“…” value=“…”>
• Ex
<input type=“hidden” name=“productId” value=“P01”>
• Advantages
– Simplest way to implement session tracking
– Displays nothing on the HTML page but can be used to hold any kind of data
– Helps to maintain a connection between two pages
• Disadvantages:
– Work on the dynamic pages.
– This method of session tracking displays sensitive information to the user.

05/23/2024
 Sessions & Listeners
Cookies
• Is a small piece of information sent by the web server to the client
to keep track of users.
• Size of each cookie can be a maximum of 4 KB.
• Cookie has values in the form of key-value pairs
• When the server sends a cookie, the client receives the cookie,
saves and sends it back to the server each time the client accesses
a page on that server
• Can uniquely identify a client (In the case of J2EE web applications,
the cookie returned has a standard name JSESSIONID and store in
memory)
• A web browser is expected to support 20 Cookies per host

05/23/2024
 Sessions & Listeners
• Advantages Cookies
– Remember user IDs and password.(low security)
– To track visitors on a Web site for better service and new features.
– Cookies enable efficient ad processing.
– Support e-advertisement on Internet and Security (can not affect virus).
• Disadvantages
– Personal information is exposed to the other users.
(spam/ junk mail, pop up …)
– Cookies fails to work if the security level is set too high in the Internet browser.
– Most browsers enable the user at the client machine to deactivate (not to
accept) cookies.
– The size and number of cookies stored are limited.
• Note
– Browser is accepted cookies
– Cookies are stored at
• C:\Documents and Settings\LoggedUserName\Cookies\
LoggedUserName@ContextPath[n].txt
• C:\Users\LoggedUserName\AppData\Local\Microsoft\Windows\Temporary Internet Files
\LoggedUserName@host[n].txt
• C:\Users\”UserName”\AppData\Local\Microsoft\Edge\User Data\Default\Network
– Cookies are existed following the setMaxAge and deleted automatically by OS
05/23/2024
 Sessions & Listeners
•
Cookies
The servlet API provides javax.servlet.http.Cookie class for creating and working with
cookies
• The constructor for the cookies class is: Cookie(java.lang.String name, java.lang.String
value)
• Sending Cookie

05/23/2024
 Sessions & Listeners
Cookies
• Reading Cookie

05/23/2024
 Sessions & Listeners
Cookies – Example
#1. Create #2. Create AddCookie
demoCookie.html Servlet.java

#3. Create PrintCookie

Servlet.java

05/23/2024
 Sessions & Listeners
Cookies – Example
#2. Create AddCookie
Servlet.java

05/23/2024
 Sessions & Listeners
Cookies – Example
#3. Create PrintCookie
Servlet.java

05/23/2024
 Sessions & Listeners
Cookies – Example

On Windows 11
❖ Microsoft Edge : C:\Users\”UserName”\AppData\Local\Microsoft\Edge\User
Data\Default\Network

05/23/2024
 Sessions & Listeners
Cookies – Example

❖ Google Chrome : C:\Users\”UserName”\AppData\Local\Google\Chrome\User Data\

Default\Network

05/23/2024
 Sessions & Listeners
Session Management: General Principles
• Each of these requests needs to carry a unique ID, which
identifies the session to which it belongs.
• The web application will allocate this unique ID on the
first request from the client.
• The ID must be passed back to the client so that the
client can pass it back again with its next request. In
this way, the web application will know to which session
the request belongs. This implies that the client must need
to store the unique ID somewhere—and that’s where
session management mechanisms come in
• The default mechanism for session management is
cookie
05/23/2024
 Sessions & Listeners
HttpSession interface
• Identifying user in a multi-page request scenario and
information about that user
• Is used to created a session between the client and server
by servlet container
– When users make a request, the server signs it a session object
and a unique session ID
– The session ID matches the user with the session object in
subsequent requests
– The session ID and the session object are passed along with the
request to the server
• Session Timeout
– Is necessary as session utilizes the memory locations
– Prevent the number of session increasing infinitely.
– Set either in the web.xml file or can be set by the method
setMaxInactiveInterval()
05/23/2024
 Sessions & Listeners
HttpSession interface Methods
Methods Descriptions

- request.getSession(boolean create);
- Obtain a current session objects
getSession
- The getSession() method with true parameter is used to create a new
session (no current session)

- public String getId()

- Returns a string containing the unique identifier assigned to this session.
getId
The servlet container assigns the identifier and it is implementation
independent
- public long getCreationTime()
getCreationTime
- Returns the creation time of session.
- public long getLastAccessedTime()
getLastAccessedTime
- Returns the last accessed Time of session
- public int getMaxInactiveInterval()
getMaxInactiveInterval - Returns the maximum time interval, in seconds, for which the servlet
container will keep the session alive between the client accesses
- public void setMaxInactiveInterval(int interval)
setMaxInactiveInterval - Specifies the time, in seconds, between the client requests before the
servlet container invalidates the current session

05/23/2024
 Sessions & Listeners
HttpSession interface Methods

Methods Descriptions
- public boolean isNew()
isNew - Returns true if the client is unaware about the session or
choose not to be part of the session
- public void invalidate()
- Invalidates the session and the objects bound to the
session are bounded. This method throws
IllegalStateException if called on already invalidated
session
invalidate
- To avoid the hacker from causing any harm
- Destroys the data in a session that another servlet or JSP
might require in future. Therefore, invalidating a session
should be done cautiously as sessions are associated with
client, not with individual servlets or JSP pages

05/23/2024
 Sessions & Listeners
HttpSession interface – Example

05/23/2024
 Sessions & Listeners
HttpSession interface
#1. Create
– Example
index.html

#2. Create
ViewSessionInfo.jsp

05/23/2024
 Sessions & Listeners
HttpSession interface – Example

05/23/2024
 Sessions & Listeners
HttpSession interface
• Distributed Session
– A session is available to be shared between web resources in a single web
application (e.g. a session cannot cross web application boundaries)
• Session Death is controlled in one of 3 ways
– Application Server Global Default
– Web Application Default (minutes)
• A negative value or zero value causes the session to never expire

– Individual Session Setting using setMaxInactivateInterval() method

• A negative value supplied as an argument causes the session to never expire
• Other Session APIs
– HttpSession.getServletContext() returns the SessionContext that the session
is attached

05/23/2024
 Sessions & Listeners
HttpSession interface

How to
store
value?

05/23/2024
 Sessions & Listeners
1. Input and
HttpSession interface
click button/link
3. Send request 4. Dispatch to Servlet/Web Container
Containter
Web/App
Server
10. Send response 9. Attach ID
& store in cookie to response 5. Send
2. Generate the 8. Manipulate
Request msg (if any) Resources

OS Session
Object 6. create
Session Obj
7. Assign
Session ID to
Session Object
Client Server

05/23/2024
 Sessions & Listeners
1. Input and
click button/link
HttpSession interface
again (2..n)
3. Send request 4. Dispatch to Servlet/Web Container
Containter
Web/App
Server
10. Send response
5. Send
7. Response
2. Generate the
Request msg Resources
with id session

OS Session
6. Manipulate
Object
(if any)

Client Server

05/23/2024
 Sessions & Listeners
Conclusion
Store data/object at
server site Session object
Tracking But, SessionID is
Session stored at client
Mechanism
Located
at client’s Cookies
system fie
Store
data/object at
client site Located
URL rewriting
at query
string

Located on web page

and pass via form’s Hidden form fields
parameter

05/23/2024
 Error Handling in Servlet
Reporting Error
• There are many situations occur an error
– A requested page may be moved from one location to another.
– The address may be wrongly typed.
– The requested page may be forbidden, may be temporarily deleted or
correct HTTP version might not have found.
– There are other situations where an error may generated.
• Error during the execution of a web application are reported

05/23/2024
 Error Handling in Servlet
Reporting Error – Example

05/23/2024
 Error Handling in Servlet
Reporting Error – Example

3
2

05/23/2024
 Error Handling in Servlet
Reporting Error – Example

05/23/2024
 Error Handling in Servlet
Reporting Error (on IE)

Uncheck the option “Show friendly HTTP error messages” from Tools/
“Internet Options” to set up the browser would be presented the user defined
message
05/23/2024
 Error Handling in Servlet
Reporting Error – Example
1

05/23/2024
 Error Handling in Servlet
Reporting Error – Example

05/23/2024
 Error Handling in Servlet
Reporting Error – Example
1

05/23/2024
 Error Handling in Servlet
Reporting Error – Example

05/23/2024
 Error Handling in Servlet
Reporting Error – Example

05/23/2024
 Error Handling in Servlet
Reporting Error – Example – Others

Display the error on

the another page

05/23/2024
 Error Handling in Servlet
Logging Error

05/23/2024
 Error Handling in Servlet
Logging Error

05/23/2024
 Error Handling in Servlet
Logging Error
• Servlet can store the actions and errors through the log() method
of the GenericServlet class.
• The log() method also assists in debugging and can viewed record
in a server
• Syntax: public void log (String msg [, Throwable t])
• Ex:
…
log("Servlet is not found ");
response.sendError(response.SC_INTERNAL_SERVER_ERROR, "The requested
page ["+ page + "] not found.");
…
• A log file locate at
– C:\Documents and Settings\LoggedUser\Application Data\NetBeans\ 7.4\
apache-tomcat-7.0.41.0_base\logs\localhost.yyyy-mm-dd.log
– C:\Users\LoggedUser\AppData\Roaming\NetBeans\7.4\
apache-tomcat-7.0.41.0_base\work\Catalina\logs\localhost.yyyy-mm-dd.log

05/23/2024
 Error Handling in Servlet
Logging Error

05/23/2024
 Error Handling in Servlet
Logging Error

05/23/2024
 Build The Web App
Shopping Cart

05/23/2024
 Build The Web App
Shopping Cart #1. Create
web.xml

05/23/2024
 Build The Web App
Shopping Cart
#2. Create
ProductDTO.java

05/23/2024
 Build The Web App
Shopping Cart
#3. Create
CartDTO.java

05/23/2024
 Build The Web App
Shopping Cart

05/23/2024
 Build The Web App
Shopping Cart

05/23/2024
 Build The Web App
Shopping Cart – View Product
#4. Create
viewProduct.jsp

05/23/2024
 Build The Web App
Shopping Cart
#5. Create
MainController.java

05/23/2024
 Build The Web App
Interactive Server Model – Add To Cart
2. Send request
1. Select Items
Web/App Servlet
2. Add to Cart
Server
6. Update Session 5. Check
& Response with 3. Get Session Cart Obj
shopping page 4.Get Cart Obj
Cart
Obj 5.2. No → New 5.1. Yes → check
existed item

5.1.2. No → 5.1.1. Yes →

New Item and update existed
Add To Cart item’s quantity

Client Server

05/23/2024
 Build The Web App
Shopping Cart – Add To Cart
#6 .Create
AddToCartController.java

05/23/2024
 Build The Web App
Interactive Server Model – View Cart
3. Get Session
2. Send request

Web/App Servlet
Server
1. Click View Carts 4.1. No → 4. Check
6. Response with Error Session
display or error page

4.2. Yes →
5.1. Yes → 5.2. No →
get Cart Obj
Traversal Obj Error
to display Cart
Obj
5. Check existed
Object

Client Server

05/23/2024
 Build The Web App
Shopping Cart – View Cart
#7. Create viewCart.jsp

05/23/2024
 Build The Web App
Shopping Cart – View Cart

05/23/2024
 Build The Web App
Shopping Cart – Update Cart
#8. Create
ChangeController.java

05/23/2024
 Build The Web App
Interactive Server Model – Remove
7. Call View
3. Get Session
2. Send request again

1. Select Items
Web/App Servlet
2. Remove Cart
Server
4.1. No → 4. Check
6.1. Yes → Error Session
8. Response with
Remove
display or error page
6.2. No →
Error 4.2. Yes →
5.2. No →
get Cart Obj
Error
5. Check existedCart
Object Obj
5.1. Yes → get selected
items & 6. check

Client Server
05/23/2024
 Build The Web App
Shopping Cart – Remove Cart
#9. Create
RemoveController.java

05/23/2024
 Summary
• How to write CRUD Web Application
– Session Tracking Techniques
– Manipulate DB Techniques in Web Application
– Break down structure component in building web
application
• Techniques: Error Handling in Servlets
– Reporting Errors
– Logging Errors
– Users Errors vs. System Errors

Q&A
05/23/2024
 Next Lecture
• JSP Standard Actions
– JavaBeans
– Standard Actions
• Dispatcher Mechanism
– Including, Forwarding, and Parameters
– Vs. Dispatcher in Servlets
• EL – Expression Languages
– What is EL?
– How to use EL in JSP?

05/23/2024
 Practice

Do Lab05_ShoppingCartMVC2.pdf

05/23/2024
 Appendix
Shopping Cart using Cookies

05/23/2024
 Appendix
Shopping Cart using Cookies

05/23/2024
 Appendix
Interactive Server Model
2. Send request
1. Select Items
Web/App Servlet
2. Add to Cart
Server
5. Response with 4. Check
writing cookies 3. Get Cookies cookies
and return page Get selected item
Cookie
4. No → New 4. Yes → check
existed item

4. No → New 4. Yes → update

existed item

Client Server
05/23/2024
 Appendix
Shopping Cart using Cookies

05/23/2024
 Appendix
Shopping Cart using Cookies

05/23/2024
 Appendix
Shopping Cart using Cookies

05/23/2024
 Appendix
Interactive Server Model
3. Get Cookies
2. Send request 4. Check cookies

Web/App Servlet
Server
4’’. Yes →
1. Click View Carts traversal
4. Check
4’. No → cookies to
cookies
Error display

5. Response with
display or error page

Client Server

05/23/2024
 Appendix
Shopping Cart using Cookies

05/23/2024
 Appendix
Shopping Cart using Cookies

05/23/2024
 Appendix
Shopping Cart using Cookies

05/23/2024
 Appendix
Interactive Server Model
2. Send request
1. Select Items
Web/App Servlet
2. Remove Cart
Server
6. Response with 4. Check
reload page or cookies
3. Get Cookies
show error msg
Get selected items

4. No → 4. Yes → update
create msg item value to 0

4’. Update
Cookies object

Client Server

05/23/2024
 Appendix
Shopping Cart using Cookies

05/23/2024
 Appendix
Shopping Cart using Cookies

05/23/2024
 Sessions & Listeners
Shopping Cart using Cookies – Example

05/23/2024
 Appendix
Request and Context Listeners

• There are two things that need to do to set up a listener in a web

application:
– Write a class that implements the appropriate listener interface.
– Register the class name in the web application deployment descriptor,
web.xml.
<listener>
<listener-class>className</listener-class>
</listener>
05/23/2024
 Appendix
Request Listeners
• ServletRequestListener deals with the life cycle of each request
object
• A class implementing the ServletRequestListener interface has 2
methods
– requestInitialized(): is called the moment that any request in the web
container be comes newly available (or it is called at the beginning of any
request’s scope)
• This is at the beginning of a servlet’s service() method or earlier than that if filter
chain is involved
– requestDestroyed(): is called for each request that comes to an end – either
at the end of the servlet’s service() method or at the end of the doFilter()
method for the first filter in a chain
• Each of these ServletRequestListener methods accept a
ServletRequestEvent as a parameter. This event object has 2
methods
– getServletContext()
– getServletRequest()
05/23/2024
 Appendix
Request Listeners

05/23/2024
 Appendix
Request Attribute Listeners
• ServletRequestAttributeListener deals with the life cycle of the
attributes attached to request objects
• A class implementing the ServletRequestAttributeListener
interface has 3 methods
– attributeAdded(): is called whenever a new attribute is added to any request
– attributeRemoved(): is called whenever an attribute is removed from a request
– attributeReplaced(): is called whenever an attribute is replaced
• Each of these ServletRequestAttributeListener methods accept a
ServletRequestAttributeEvent as a parameter. This event object has
2 methods
– getName(): returns name of attribute
– getValue(): returns old value of attribute
• The ServletRequestAttributeEvent inherits from ServetRequestEvent
• The “grandparent” of The ServletRequestEvent is
java.util.EventObject
– The getSource() method returns the object that is the source of the event
05/23/2024
 Appendix
How to Add Listener to Web Project

05/23/2024
 Appendix
How to Add Listener to Web Project

05/23/2024
 Appendix
Example

05/23/2024
 Appendix
Example

05/23/2024
 Appendix
Example

05/23/2024
 Appendix
Example

05/23/2024
 Appendix
Practices – Example

05/23/2024
 Appendix
Practices – Example

05/23/2024
 Appendix
Practices – Example

05/23/2024
 Appendix
Practices – Example

05/23/2024
 Appendix
Context Listener
• Contexts have 02 listeners:
– ServletContextListener
• Receive notifications about changes to the servlet context of
the Web application
– contextInitialized(): gets called before any servlet’s init() method
or any filter’s doFilter() method
– contextDestroyed(): gets called after the servlet’s or filter’s
destroy() method
– Both of methods get passed a ServletContextEvent object that
provides the getServletContext() method
– ServletContextAttributeListener
• Recieves a notification about any modifications made to the
attribute list on the servlet context of a web application
• Has the same trio of methods as
ServletRequestAttributeListener
05/23/2024
 Appendix
Example

05/23/2024
 Appendix
Example

05/23/2024
 Appendix
Example

05/23/2024
 Appendix
Example

05/23/2024
 Appendix
Practices – Example

05/23/2024
 Appendix
Practices – Example

05/23/2024
 Appendix
Session Listeners Declared in DD
• Sessions have 02 listeners:
– HttpSessionListener
• Implements the changes to the list of active sessions in Web application
• sessionCreated() method: is called whenever a new session is provided
(can say that after the getSession() method)
• sessionDestroyed(): is called at the end of the sessions (within the call
invalidate() or session time out but before the session become invalid)
• Both of methods get passed a HttpSessionEvent object that provides the
getSession() method
– HttpSessionAttributeListener
• Is called whenever some changes are made to the attribute list on the
servlet session of a Web application
• Is used to notify when an attribute has been added, removed or replaced
by another attribute
• Has the same trio of methods as ServletRequestAttributeListener that are
passed the HttpSessionBindingEvent (is inherited from HttpSessionEvent)
05/23/2024
 Appendix
Practices – Example

05/23/2024
 Appendix
Practices – Example

05/23/2024
 Appendix
Practices – Example

05/23/2024
 Appendix
Practices – Example

05/23/2024
 Appendix
Session Listeners Not Declared in DD
• Have 02 listeners:
– HttpSessionBindingListener
• Notifies the object when it is being bound to or unbound from a session
• This notification can be the result of a forced unbinding of an attribute
from a session by the programmer, invalidation of the session or due to
timing out of session
• This implementation do not require any configuration within the
deployment descriptor of the Web application
• Notes: The object data types not implemented in BindingListener don’t
fire any events!

05/23/2024
 Appendix
Session Listeners Not Declared in DD - Example

05/23/2024
 Appendix
Session Listeners Not Declared in DD - Example

05/23/2024
 Appendix
Session Listeners Not Declared in DD
• Have 02 listeners (cont)
– HttpSesssionActivationListener (receives events when
a value object is transported across JVMs).
• Stateful session (activated and passivated)
• Is implemented when a container migrates the session
between VM or persists sessions and is not required any
configuration within the deployment descriptor

05/23/2024