A session is considered 'new' when it is only a prospective session and has not been established. Because HTTP is a request-response based protocol, an HTTP session is considered to be new until a client 'joins' it. A client joins a session when session tracking information has been returned to the server indicating that a session has been established. Until the client joins a session, it cannot be assumed that the next request from the client will be recognized as part of a session.
The session is considered to be 'new' if either of the following is true:
The client does not yet know about the session.
The client chooses not to join a session.
To obtain a session, use the getSession() or getSession(boolean) method of the javax.servlet.http.HttpServletRequest object. When you first obtain the HttpSession object, the one of three ways used to establish tracking of the session: cookies, URL rewriting, or Secure Sockets Layer (SSL) information. Assume the servlet container uses cookies. In such a case the servlet container creates a unique session ID and typically sends it back to the browser as a cookie. Each subsequent request from this user (at the same browser) passes the cookie containing the session ID, and the servlet container uses this ID to find the user's existing HttpSession object.
If argument in getSession(boolean) method is set to true, the HttpSession object is created if it does not already exist (the same as call of getSession() method).
If argument in getSession(boolean) method is set to false, the HttpSession object is NOT created if it does not already exist and method returns null.
You can end a session:
Automatically by servlet container if a session is inactive for a specified time. The administrators provide a way to specify the amount of time after which to invalidate a session.
By coding the servlet to call the HttpSession.invalidate() method on the session object.
In the HTTP protocol, there is no explicit termination signal when a client is no longer active. This means that the only mechanism that can be used to indicate when a client is no longer active is a timeout period.
The default timeout period for sessions is defined by the servlet container and can be obtained via the int HttpSession.getMaxInactiveInterval() (sec.) method of the HttpSession interface. This timeout can be changed by the Developer using the HttpSession.setMaxInactiveInterval(int) (sec.) method of the HttpSession interface. The timeout periods used by these methods are defined in SECONDS. By definition, if the timeout period for a session is set to -1 (or ANY NEGATIVE), the session will never expire. The session invalidation will not take effect until all servlets using that session have exited the service method. Once the session invalidation is initiated, a new request must not be able to see that session.
package javax.servlet.http;
public interface HttpSession {
public int getMaxInactiveInterval();
public void setMaxInactiveInterval(int interval);
public void invalidate();
public boolean isNew();
}
Another way to configure session timeout (for all sessions within one web-application) is to use deployment descriptor (web.xml). The session-timeout element defines the default session timeout interval for all sessions created in this web application. The specified timeout must be expressed in a whole number of MINUTES. If the timeout is 0 or less, the container ensures the default behaviour of sessions is NEVER to time out. If this element is not specified, the container must set its default timeout period.
<web-app> ... <session-config> <session-timeout>30</session-timeout> <!-- 30 minutes --> </session-config> </web-app>
|
|