URL Rewriting Session Tracking in Servlet

URL Rewriting Session Tracking Mechanism in Java Servlet

In this article, I am going to discuss URL Rewriting Session Tracking Mechanism in Java Servlet Application. Please read our previous article where we discussed Hidden Form Field Session Tracking Mechanism. At the end of this article, you will understand the following pointers in detail.

Why we need the URL Rewriting Session Tracking Mechanism?
What is URL-Rewriting Session Tracking Mechanism?
How to Implement URL-Rewriting in Servlet?
Advantages of URL-Rewriting
Disadvantages of URL-Rewriting
URL Rewriting Example using Java Servlet
Difference Between HttpSession with Cookies and HttpSession with URL-Rewriting

Why we need the URL Rewriting Session Tracking Mechanism?

In the case of the HttpSession Session Tracking Mechanism, when we create a HttpSession object automatically Session-Id is created in the form of the cookie, where Session-Id Cookie will be transferred from server to client to server along with response and request automatically.

In the HttpSession Session Tracking Mechanism, we are able to identify user-specific HttpSession objects on the basis of Session-Id only. In this context, if we disable Cookies at the client browser then HttpSession Session Tracking Mechanism will not execute its functionality.

In the case of cookies session tracking mechanism, the complete client conversation will be stored at the respective client machine only in the form of Cookies. Here the Cookies data will be opened to every user of that machine. So that Cookies Session Tracking Mechanism will not provide security for the application data.

The third Session Tracking technique which is nothing but HttpSession with cookies uses in-memory cookies to send sessionId to browser window along with the response from the web resource program and to send sessionId back to the web application along with the request from the browser window. Due to this the session tracking of HttpSession with cookies techniques fails. If cookies are restricted coming to the browser window, from web applications by using browser settings.

To overcome the above problem, we have to use URL-Rewriting Session Tracking Mechanism.

What is URL-Rewriting Session Tracking Mechanism?

In the case of URL-Rewriting Session tracking Mechanism, we will not maintain the client’s conversation at the respective client machine, we will maintain the client’s conversation in the form of a HttpSession object at the server machine. So that URL-Rewriting Session Tracking Mechanisms is able to provide very good security for the application data.

URL-Rewriting Session Tracking Mechanism is almost all same as HttpSession Tracking Mechanism, in URL-Rewriting Session Tracking Mechanism we will not depending on a Cookie to maintain Session-Id value, we will manage SessionId value as an appended to URL in the next generated form.

In this context, if we send a request from the next generated from automatically the appended Session-Id value will be transferred to the server along with the request. In this case, even though if we disable Cookies at the client browser, but still we are able to get SessionId value at the server machine and we are able to manage the client’s previous request data at the time of processing the later request.

In URL-Rewriting Session Tracking Mechanism, every time we need to rewrite the URL with Session-Id value in the next generated form. So that this mechanism is called a URL-Rewriting Session Tracking Mechanism.

In URL-Rewriting Session Tracking Mechanism, it is mandatory to append Session-Id value to the URL by getting Session-Id value explicitly. For this, we can append sessionId to a URL that goes to the browser window along with the response and comes back to the web application from the browser window along with the request. This process is nothing but “URL Rewriting”. Since the HttpSession object is also involved in the URL rewriting, this process is technically called the “HttpSession with URL rewriting” session tracking technique.

How to Implement URL-Rewriting in Servlet?

If the web resource program of web application generates dynamic from pages then the URL placed in the action attribute of <form> tag comes to browser window along with the response and goes back to web application along with the request submitted by a dynamic form page.

Appending session Id to the URL is known as URL rewriting. By calling encodeURL() on the response object URL rewriting is implemented. For example

String newURL = response.encodeURL(“./surl”);

response.encodeURL() method can append sessionId of current HttpSession object to the given URL as shown below

String newURL = response.encodeURL(“./surl”); ->this gives output like surl;jsessionid=3ECFCC2136E

Note: Despite the disabling (or blocking) of the cookies at web client side, URL rewriting ensure that session tracking is implemented.

Advantages of URL-Rewriting

The advantage of URL rewriting is the capability to include session tracking information without the use of forms. Even with this advantage is still a very arduous coding process. UL-Rewriting does not depend upon cookies and will work whether cookies are enabled or disabled.

Disadvantages of URL-Rewriting

In URL-Rewriting Session tracking Mechanism, every time we need to rewrite the URL with Session-Id value in the generated form, for this we must execute the encoded URL() method. So that URL-rewriting Session Tracking Mechanism should require dynamically generated forms, it will not execute its functionality with static forms.

URL Rewriting Example using Java Servlet:

Here, we are creating an HTML file “index.html” with two text boxes to enter “Name” and “Password”. In the “web.xml” file, make sure that the servlet name and URL name should be the same. Here, we are creating two classes: “MyServlet.java” and “First.java”. Here, we are maintaining the state of the user using a link. For this purpose, we are appending the name of the user in the query string in “MyServlet.java” and getting the value from the query string on another page “First.java”.

index.html

<html>
   <form method="post" action="validate">
    Name:<input type="text" name="user" /><br/>
    Password:<input type="text" name="pass" ><br/>
    <input type="submit" value="submit">
  </form>
</html>

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xmlns="http://xmlns.jcp.org/xml/ns/javaee"
 xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
 id="WebApp_ID" version="4.0">
 <servlet>
        <servlet-name>validate</servlet-name>
        <servlet-class>MyServlet</servlet-class>
    </servlet> 
    <servlet-mapping>
        <servlet-name>validate</servlet-name>
        <url-pattern>/validate</url-pattern>
    </servlet-mapping>
    
    <servlet>
        <servlet-name>First</servlet-name>
        <servlet-class>First</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>First</servlet-name>
        <url-pattern>/First</url-pattern>
    </servlet-mapping>
    
    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
    </welcome-file-list>
</web-app>

MyServlet.java

import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;

public class MyServlet extends HttpServlet {
  protected void doPost(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        response.setContentType("text/html");
        String name = request.getParameter("user");
        String pass = request.getParameter("pass");
        
        if(pass.equals("1234"))
        {
            response.sendRedirect("First?user_name="+ name);
        }
    }   
}

First.java

import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;

public class First extends HttpServlet {
  protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        response.setContentType("text/html");
        PrintWriter out = response.getWriter();
        String user = request.getParameter("user_name");
        out.println("Welcome "+user);
    }
}

Output

Here, Enter your name and password. Password must be “1234”

After clicking the “submit” button

Difference Between HttpSession with Cookies and HttpSession with URL-Rewriting

The difference between HttpSession with cookies and HttpSession with URL-Rewriting techniques is the way they deal with the session id of the HttpSession object.

The HttpSession with cookie technique uses an in-memory cookie to send sessionId to browser window along with the response and to bring sessionId back to the web application from the browser along with the request.
The HttpSession with URL rewriting appends sessionId back to the web application from the browser along with the request.
The HttpSession with URL rewriting appends sessionId to a URL that goes to the browser window along with the response from the web application and comes back to the web application along with the request from the browser window.
If the web application is enabled with HttpSession with URL rewriting and if cookies are not blocked through browser settings then the web application uses cookies internally to deal with session ids by removing the effect of URL rewriting once the web application knows that the browser window has not blocked the cookies.

In the next article, I am going to discuss the HttpSession interface in Servlet. Here, in this article, I try to explain the URL Rewriting Session Tracking Mechanism in Java Servlet. I hope you enjoy this URL Rewriting Session Tracking Mechanism in Java Servlet article.

Dot Net Tutorials

About the Author: Pranaya Rout

Pranaya Rout has published more than 3,000 articles in his 11-year career. Pranaya Rout has very good experience with Microsoft Technologies, Including C#, VB, ASP.NET MVC, ASP.NET Web API, EF, EF Core, ADO.NET, LINQ, SQL Server, MYSQL, Oracle, ASP.NET Core, Cloud Computing, Microservices, Design Patterns and still learning new technologies.