Start the session by explaining the concept of HTTP-statelessness. Explain why and in what situations it is important to maintain ‘state’ and track users. In this context, identify the various ways in which you can keep track of users in a Web application.
Explain and demonstrate the use of cookies in a Web application. You could refer an example given in Focus Areas section to explain cookies.
Explain and demonstrate the use of sessions in a Web application. Ask the students to compare cookies and sessions. Also, ask them to identify problems with other techniques such as using hidden fields.
Explain the usage of the application object in brief. Refer to the Focus Areas section for explaining advanced concepts.
The following section provides some extra inputs on the important topics covered in the SG:
Understanding Cookies – An Example
Open http://mail.yahoo.com from your computer. Enter your login credentials and select the ‘Remember my ID on this computer’ checkbox. Access your mail account and do not sign out. Now, the next time you log on to the site from the same computer, you will not need to enter your credentials. You will be directly taken to your mail account when you type http://mail.yahoo.com. Next, on Internet Explorer, select Tools->Internet Options->General tab and click the Delete Cookies button. Click OK to delete the cookies and then again click OK to close the Internet Options dialog box. On Netscape Navigator, the same action can be performed by selecting Tools->Cookie Manager->Manage Stored Cookies and then clicking the Remove All Cookies button in the dialog box that opens.
After you have deleted cookies, again open http://mail.yahoo.com in a new browser window. You will be taken to the login page.
Sharing the Same Cookie with Multiple Servers
Many Web sites today work on more than one server using subdomains such as a.web.com for some feature and b.web.com for some other feature. One of the best examples of this usage is yahoo.com that offers various services through subdomains.
Cookies by default are returned only to the server, which has set them. But sometimes, it becomes mandatory to share the same cookie information among different servers. This is particularly required in e-commerce sites, which host their shopping cart server separately for security.
Servlets allow same cookie to be shared by multiple servers through the setDomain( pattern ) method under the Cookie class as demonstrated in the following code snippet:
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException
{
res.setContentType(“text/plain”);
PrintWriter out = res.getWriter();
if( userValidated( req ) ) //if user is valid — just a place holder for e.g.
{
Cookie key = new Cookie( “valid”, “true” );
key.setDomain( “.web.com” ); //return cookie for all subdomains of web.com
res.setCookie( key );
}
else
{
res.sendError( HttpServletResponse.SC_UNAUTHORIZED );
}
}
Limiting Cookie Access
By default, a cookie is retuned to all the pages on the server. Sometimes, it is desirable that cookie information is returned only for certain directory and its subdirectory. For this, setPath( uri ) method of the Cookie class can be used. For example, if the URI is set to /example, than the cookie will only be returned for http://servername/example and its subdirectories only.
Secure Cookie
HTTPS is considerably slow as compared to HTTP. All communication over HTTPS is encrypted. This encryption – decryption process requires significant amount of processing power and overhead. For some Web applications, it is desirable that only sensitive information is used over HTTPS and rest of the communication takes place over HTTP. For this purpose, the concept of secure cookies is implemented. These cookies are transferred over HTTPS or SSL irrespective of mode of transfer for other communication between client and server. In servlets, a cookie can be made secure using setSecure( secure ) method of Cookie class.
ServletConfig Usage
ServletConfig class is provided to pass initialization parameters to the servlet. Servlets do not have constructor as they are not allowed to create their objects. However, every servlet can define an init() method, which is called only once in the lifetime of the servlet. Init() is overloaded with a version that takes no arguments (class level initializations can be done) and other, which takes an object of ServletConfig class. The name-value pairs of ServletConfig object are specified in web.xml file of the application.
Most of the times database connection string and resource locations are passed using ServletConfig. The main advantage of this is that if some change is made in the database location, there is no need to recompile the servlets
ServletContext Advanced Usage
ServletContext’s getResourceAsStream( path ) method is a very powerful and useful method, which returns InputStream handle for requested resource. This method has numerous usages such as:
- It helps in creating a self-updating application, which picks up new files from a certain predetermined location.
- Language files can be stored separately, which can then be loaded by obtaining the user’s locale information and can be used to present the pages in user’s natural language.
- It helps in hiding a direct URL of a resource.
