1 - Where session variables is stored in java web application ? on the client or the server side ?
2 - If i put a lot of objects and variables through the session it will slow down client's requests ?
P.S In my case i use spring mvc.
The "session" variable consists of two pieces, a very small session identifier which is stored on the client usually named jSessionId and stored as a cookie. But, the sessionId may also be encoded into URLs.
The second piece of a session is the actual data, and it is stored on the server. Possibly in a server-side database if the your server is part of a multi-server cluster. Each session is identified by that sessionId and the client sends it with every request. That is why it is designed to be very small.
Simple answer is : your session data are stored on the server side.
Web browser will get only an string id to identify it's session.
In fact, spring security takes more care of session information, because if users even don't login, session may not exist at all.
When I use spring mvc only, I don't use session to store important data, because session is stored in memory only. It is designed to save data temporarily.
When I use spring security, I have to save many important things in memory, such as account data which could not be transmitted on internet, and I won't load them from database every time. So I have to choose session.
So when the server which stored login session is down, all users have logged in on this server would have to relogin to retrieve another session id.
Session is not always the best choice, because when we have many servers that use session data, I have to share the data among all servers, anyway, net IO is expensive for servers.
1.it stored on server
2.Session stored on server ,so the Object you set in it may also stored on server.Request only send a SessionId to server to indentify this users Session to other users Session.
Related
I have two war files such as war1 and war2
If am login the application, the session will be created in war1 and from that if am navigate to war2, there i need the same session data.
I tried crossContext=true in context.xml of server from that i can access the data by storing it in servletContext.
But the issue is once i logined the screen in chrome the session data will be stored in servletContext and the data will maintain till the application is running.
If am giving the same URL in another browser like IE here also, i can get the servletContext data so instead of navigate to login page the corresponding screen will be opened
Kindly suggest me how can i overcome this issue in java?
Is there any way to findout browser switching or incognito window mode of the browser in java?
Note: am using tomcat server
I have never dealt with your exact configuration problem, but even if you can make this work on a single Tomcat instance, you might have problems should your two web applications ever be distributed across multiple Tomcat instances.
So, I am going to suggest that you actually use a database to store state which needs to be passed between the two applications in a safe and reliable way. Note that the database approach also scales nicely in a distributed environment, so long as you have a single logical database.
While session replication indeed can be done in Tomcat (see here) I really suggest you to avoid this type of issues by eliminating the session altogether.
This session replication is an approach that was somewhat common before ~15-10 years, but nowadays when we have a lot of servers running in parallel to serve user requests and have elastic clusters, this approach is not good enough because basically it doesn't scale well.
There are many ways to achieve what you want, though:
Use a shared database to store the session information. Add some session Id to the response and require the client to pass this id back into all subsequent request along the session. Then execute a query to the Database by this Id and retrieve all the session information.
This solution also doesnt really scale well, but then you can shard the session information if the db permits to do so...
Use Redis/Aerospike to save the session information of the currently connected user. somewhat like DB approach, but since redis run in-memory it will be much faster. In general, this approach can be used in conjunction with 1 where redis is an in-memory cache.
Encrypt the session information or even just sign cryptographically and send back to client. Client will have to supply this information along with the request without knowing which server will actually serve this request.
Without delving into cryptography I'll just state that encryption can be done if you don't want client to see the session information (despite the fact that this is the user whose information is supplied) and signature is used to prevent tempering the data (while sending it back to server).
The data can be supplied to server from client via Header or cookie for instance.
I am working on a Java web application which involves allocating server resources on a per http session basis. So the http session ID would become part of the key of a database table, and its uniqueness in the table is a must. The description of the Java HttpSession.getID() method claimed that this ID is unique, so the server side should have someway to enforce such nature. But on the client browser, HTTP session is usually shared by multiple browsing windows unless explicitly request a new session to be to used. This suggests that the browser have active control over session usage as well. So which side is responsible for the generation of HTTP session ID? Or it is a combined effort of both sides? Is there any chance that the same session ID is generated accidentally by browsers on different computers accessing the same website?
Session id is generated by server and is usually granted to a visitor on his/her first visit to a site.
A session ID is a unique number that a Web site's server assigns a
specific user for the duration of that user's visit (session). The
session ID can be stored as a cookie, form field, or URL (Uniform
Resource Locator). Some Web servers generate session IDs by simply
incrementing static numbers. However, most servers use algorithms that
involve more complex methods, such as factoring in the date and time
of the visit along with other variables defined by the server
administrator.
I was wondering if there was a "standard" way for handling persitent HTTP sessions in a GAE based web app. Let me explain my issues.
If I only use this.getThreadLocalRequest().getSession() to get a session, this session will be automatically invalidated once the user closes the browser.
If I go with Cookies (so the session will persist until the cookie expires or the user erases his cookies), I need to have a kind of mechanism for validating that the sessionID stored in the cookie actually belongs to a valid session. I've thought about storing a key value pair of sessionID, HttpSession in a concurrentHashMap, but now I run into the problem that this hashmap will be available only for the current instance, therefore I might run into consistency problems.
The last solution I thought of was keeping track of the session in the datastore, but it seems pretty ridiculous to me having to query the datastore each time I receive a request.
Maybe I'm totally out of the track and there's a really simple way to achieve what I'm trying to do: Http sessions that persist across browser restarts and multiple gae instances.
Thanks!
Rodrigo.
You typically use a cookie to implement remember-me. The idea is to generate a random and unique cookie for an authenticated user, store it with the rest of the user information in the database, and send the cookie to the client browser.
Now, when the client comes back 5 days later, the cookie is sent with its first request to your application. At this time, if the user is not authenticated yet, you can extract the cookie from the request, find the user in the database who owns this cookie, and automatically authenticate him as if he sent his credentials.
This solution doesn't need to modify anything to how the sessions are handled by GAE.
I have faced this question in my Interview as well. I do have many confusion with Session Scope & it management in java.
In web.xml we do have the entry :
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
What does it indicate actually ? Is it scope of whole project ?
Another point confusing me is how can we separate the session scope of multiple request in the same project? Means if I am logging in from a PC & at the same time I am logging in from another PC, does it differentiate it ?
Also, another confusing thing is the browser difference. Why does the different Gmails possible to open in different browsers ? And Gmail can prevent a session from Login to Logout. How is it maintained with our personal web ?
Session management is not something limited to Java and servlets. Here's roughly how it happens:
The HTTP protocol is stateless, so the server and the browser should have a way of storing the identity of the user through multiple requests
The browsers sends the first request to the server
The server checks whether the browser has identified with the session cookie (see below)
3.1. if the server doesn't 'know' the client:
the server creates a new unique identifier, and puts it in a Map (roughly), as a key, whose value is the newly created Session. It also sends a cookie response containing the unique identifier.
the browser stores the session cookie (with lifetime = the lifetime of the browser instance), containing the unique identifier, and uses it for each subsequent request to identify itself uniquely.
3.2. if the server already knows the client - the server obtains the Session corresponding to the passed unique identifier found in the session cookie
Now onto some the questions you have:
the session timeout is the time to live for each session map entry without being accessed. In other words, if a client does not send a request for 30 minutes (from your example), the session map will drop this entry, and even if the client identifies itself with the unique key in the session cookie, no data will be present on the server.
different gmails (and whatever site) can be opened in different browsers because the session cookie is per-browser. I.e. each browser identifies itself uniquely by either not sending the unique session id, or by sending one the server has generated for it.
logging from different PCs is the same actually - you don't share a session id
logging-out is actually removing the entry for the session id on the server.
Note: the unique session id can alternatively be stored:
in a cookie
in the URL (http://example.com/page;JSESSIONID=435342342)
2 or 3 other ways that I don't recall and aren't of interest
What does it indicate actually ?
The lifetime of a session. The session expires if there is no transaction between the client and the server for 30 minutes (per the code segment)
Is is scope of whole project ?
It has application scope. Defined for each web application
Another point confusing me is how can
we separate the session scope of
multiple request in the same project?
Means if I am logging in from a PC &
at the same time I am logging in from
another PC, does it differentiate it ?
Yes. The session ids (JSESSIONID for Apache Tomcat) will be different.
Also, another confusing thing is the
browser difference. Why does the
different Gmails possible to open in
different browsers ?
Each login by the same user from a different browser is a different session altogether. And the cookies set in one browser will not affect in another. So different Gmail instances are possible in different browsers.
And Gmail can prevent a session from
Login to Logout. How is it maintained
with our personal web ?
Persistent cookies
Servlets in Java have an HttpSession object which you can use to store state information for a user. The session is managed on the client by a cookie (JSESSIONID) or can be done using URL rewrites. The session timeout describes how long the server will wait after the last request before deleting the state information stored in a HttpSession.
The scope is per browser instance, so in the example you give logging in from two different pcs will result in two session objects.
if you open the same application in different window i mean multiple instance of a browser it will create different session for every instance.
I recommand Apache Shiro for session management,Authentication and authorization.
I take it back.
As #BalusC commeneted below, only servlet container is in charge of managing the http session. Shiro is just using that. It will hook to HttpSession via a filter you explicitly define.
we have 4 ways to manage a session.
1.Cookies
2.URL rewriting
3.Hidden form fields
4.HTTP session
the fourth one is powerful and mostly used now-a-days.
I work on a task that involves moving/traversing from one application to another. The applications are in separate JVMs.
While traversing to the other application, I keep track of the session ID. However, as I traverse back and forth, a new session gets created. Is there any way for me to get back the same session, using the sessionId that I retain, when I navigate back into my parent application from a child application?
Environment: J2EE with WebSphere.
As mentioned by Mork0075, the sessionID is tied to the cookie name and the server domain. If you're using the same server domain for two apps on separate JVMs, I see two options to maintain the session when switching between applications:
The long shot:
1) If you're using a database for session replication purposes, you can use the same database for both applications, and the sessionID will be available for both apps. The one problem I see here is that the objects in the session may not be available on both sides, since the code would be different etc. They'd probably clobber the other side's session objects unless you maintained the code and such on both sides so the objects were available.
The likely possibility:
2) Use different cookie names for the session on one of the two apps. By default, sessions use JSESSIONID as the cookie, and when you switch to the second app, it tries to look up a session based on that cookiename and can't find it. So, it creates a new sessionID and sends it back to the browser, thus causing your sessionID to change and not be available when you switch back to the original app. However, if you change the second app's sessionID to something else (say, JSESSIONID2) your browser would end up with two valid sessionIDs that would each be valid on their correct application. You can change the name via the administration console under the application server's Session Management->Enable cookies page.
I'am not sure if this helps, but in a ONE application scenario, you would submit a sessionID with every reponse, save it in the URL, a cookie or as a hidden field. By submitting a new request to the server, the sessionID is also submitted, to resolve it at server side. In my understand switching from one application to another means, that you have to give the sessionID with the user, across the applications. If you save the sessionID in a cookie, this perhaps is not possible, because the cookie is restricted to a certain server domain. So ensure that the session is still valid and the sessionID is present after returning to the application started.
You shouldn't have to do this manually. Most app servers support Single Sign On (SSO) so that you can log in to one application and have access to all the applications in the same SSO domain. The app server will keep track of session ids and link them to an HTTPSession object specific to the web app.
See http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.base.doc/info/aes/ae/csec_sso.html