Session Tracking

A conversation between server and a client is called session. This conversation consists of series of request and responses. The HTTP is a stateless protocol, so the server cannot identify from which client it is getting requests when there is s series of continuous request and response from a same client to a server. If there is a need to keep the conversational state, session tracking is needed. It always treats each request as a new request.

The client makes a connection to the server; it sends the request, gets the response, and finally closes the connection. In session management client first made a request for any servlet or any page, the recipient receives the request and generates a unique session ID and gives the customer along with the answer. This ID is stored in the client machine. Thereafter when the client request again sends a request to the server, then it sends the session ID with the application. Not see the container identification and sends the request.

Eg: – In a shopping cart application, a client generates a multiple request for adding items into his cart. In this method when a request is created, the server should identify in which client’s cart the item is to be added. In this scenario, we need for session tracking. The solution of this problem is when a client produces a request it should introduce itself by providing unique identifier every time.

There are five types of session tracking methods.

  1. User authorization
  2. Hidden fields
  3. URL rewriting
  4. Cookies
  5. Session tracking API

In all the server-side technologies normally we are use the first four methods. The session tracking API method is provided by underlying technology. For example, java servlet or PHP, etc. Session tracking method is built on the first four methods.

User Authorization

In the use of web application users can identified in different ways. The basic concept of this method is that the user can provide username and password to login to the application. Based on the username and password the user can be identified and the session can be maintained.

Hidden Fields

Hidden fields can be inserted in the webpages and information can be sent to the server for session tracking. Hidden fields can be created by using the keyword “hidden”. These fields are viewed using view source option from the browsers, but it cannot be visible directly to the user. This type doesn’t need any special configuration from the browser of server and by default available to use for session tracking. This cannot be used for session tracking when the conversation included static resources link html pages.

Eg: – <INPUT TYPE=”hidden” NAME=”technology” VALUE=”servlet”>

URL Rewriting

When a request is create, additional parameter is added with the URL. In general appended additional parameter will be sessionid or sometimes the userid. It helps to track the session. This type of session tracking doesn’t need any special support from the browser.

Disadvantage:-Implementing this type of session tracking is tedious. We need to keep track of the parameter as a chain link until the conversation completes and also should make sure that, the parameter doesn’t clash with other application parameters.

Eg: – Original URL is: – http://server:port/servlet/ServletName.

Rewritten URL is:-http://server:port/servlet/ServletName?sessionid=7456.


In session tracking methods cookies are mostly used technology. Cookie is a key value pair of information, sent by the server to the browser. This should be saved by the browser in its space in the client computer. Whenever the browser sends a request to that server it sends the cookie along with it. Then the server can identify the client using the cookie. The source code of creating a cookie is given below,

Cookie cookie = new Cookie(“userID”,”7456”);

Using cookies the session tracking is easy to implement and maintained.

Disadvantage: – The users can opt to disable cookies using their browser preferences. In such case, the browser will not save the cookie at client computer and session tracking fails.

Session tracking API

Session tracking API is built on top of the first four methods. This is inorder to help the developer to minimize the overhead of session tracking. In this type of session tracking is provided by the underlying technology. Let’s take the java servlet example. Then, the servlet container manages the session tracking task and the user need not do it explicitly using the java servlets. This is the best of all methods, because all the management and errors related to session tracking will be taken care of by the container itself.

Every client of the server will be mapped with a javax.servlet.http.HttpSession object. Java servlets can use the session object to store and retrieve java objects across the session. Session tracking is at the best when it is implemented using session tracking API.

We have to destroy the session by calling the invalidate () method on the session object.

Eg. session.invalidate();

import javax.servlet.*;
import javax.servlet.http.*;
import java.util.*;
/** Servlet that uses session tracking to keep per-client
* access counts. Also shows other info about the session.
public class ShowSession extends HttpServlet {
public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
HttpSession session = request.getSession();
String heading;
Integer accessCount =
if (accessCount == null) {
accessCount = new Integer(0);
heading = "Welcome, Newcomer";
} else {
heading = "Welcome Back";
accessCount = new Integer(accessCount.intValue() + 1);
// Integer is an immutable data structure. So, you
// cannot modify the old one in-place. Instead, you
// have to allocate a new one and redo setAttribute.
session.setAttribute("accessCount", accessCount);
PrintWriter out = response.getWriter();
String title = "Session Tracking Example";
String docType =
out.println(docType +
"<HTML>\n" +
"<HEAD><TITLE>" + title + "</TITLE></HEAD>\n" +
"<BODY BGCOLOR=\"#FDF5E6\">\n" +
"<CENTER>\n" +
"<H1>" + heading + "</H1>\n" +
"<H2>Information on Your Session:</H2>\n" +
"<TABLE BORDER=1>\n" +
"<TR BGCOLOR=\"#FFAD00\">\n" +
" <TH>Info Type<TH>Value\n" +
"<TR>\n" +
" <TD>ID\n" +
" <TD>" + session.getId() + "\n" +
"<TR>\n" +
" <TD>Creation Time\n" +
" <TD>" +
new Date(session.getCreationTime()) + "\n" +
"<TR>\n" +
" <TD>Time of Last Access\n" +
" <TD>" +
new Date(session.getLastAccessedTime()) + "\n" +
"<TR>\n" +
" <TD>Number of Previous Accesses\n" +
" <TD>" + accessCount + "\n" +
"</TABLE>\n" +
New User
New User

First visit by client to ShowSession servlet.

Subsequent Visit by same User
Subsequent Visit by same User

Twelfth visit to ShowSession servlet. Access count for this client is independent of number of visits by other clients.