Win a copy of Reactive Streams in Java: Concurrency with RxJava, Reactor, and Akka Streams this week in the Reactive Progamming forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Junilu Lacar
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Knute Snortum
  • Tim Cooke
  • Devaka Cooray
Saloon Keepers:
  • Ron McLeod
  • Stephan van Hulst
  • Tim Moores
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Piet Souris
  • Frits Walraven
  • Ganesh Patekar

HTTP Session query

 
Ranch Hand
Posts: 1376
Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
very basic question .... when does HTTP Session object is created in web application.
Suppose I have a website. Home page of website is HTTP page which contains details of company and link to Login page.

Consider below mentioned user journey as scenario
a. user arrives at home page of website
b. user click on Login page
c. user fill in login details on login page and click on Submit
d. user is successfully authenticated and authorized from back end
e. User specific page is shown
f. user click on logout link
g. user is successfully logged out from website
h. user is redirected to home page
i. user closes browser

in the above mentioned user journey,
a. at which step does HTTP session starts (means at which steps does HTTP Session object is created ? )
b. at which step does HTTP session ends ?

in case required, assume tech stack to be Java 7, Servlet 2.5, JSP, Tomcat 7, Apache web server (for static web contents)

I did on google about this query but could not find concrete answer thereby posting this question here to get some concrete details
 
Bartender
Posts: 1810
28
jQuery Netbeans IDE Eclipse IDE Firefox Browser MySQL Database Chrome Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Assuming a session doesn't already exist, a session ID is created at step A. The server returns a session ID to the client with the very first response. The client will then include that session ID with every subsequent request. When it ends depends on a couple of things. At step F you have a logout action at which point it's common to invalidate the session. However, if you redirect the user to the home page a brand new session ID will be created because that's a new request.

If you don't invalidate the session it will end when the timeout is reached. The timeout can be set in your code or in the web.xml file. It's a common misconception that a session will invalidate when the user closes their browser, but that's not the case. The server has no way of knowing that the browser has been closed so it depends on the timeout value to end the session if there is no explicit call to the session.invalidate() method.
 
Ranch Hand
Posts: 59
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It's also common to create a new session when the user is authenticated. This is needed to prevent some session hijacking attacks.

See OWASP Session Management Cheat Sheet:


The session ID must be renewed or regenerated by the web application after any privilege level change within the associated user session. The most common scenario where the session ID regeneration is mandatory is during the authentication process, as the privilege level of the user changes from the unauthenticated (or anonymous) state to the authenticated state.

 
Abhay Agarwal
Ranch Hand
Posts: 1376
Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for this info

It's a common misconception that a session will invalidate when the user closes their browser, but that's not the case. The server has no way of knowing that the browser has been closed so it depends on the timeout value to end the session if there is no explicit call to the session.invalidate() method.

 
Abhay Agarwal
Ranch Hand
Posts: 1376
Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for this info

It's also common to create a new session when the user is authenticated. This is needed to prevent some session hijacking attacks.

 
Abhay Agarwal
Ranch Hand
Posts: 1376
Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for all the replies. My Query is answered.
 
Attractive, successful people love this tiny ad:
Java file APIs (DOC, XLS, PDF, and many more)
https://products.aspose.com/total/java
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!