DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones AWS Cloud
by AWS Developer Relations
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones
AWS Cloud
by AWS Developer Relations

Trending

  • Scaling Site Reliability Engineering (SRE) Teams the Right Way
  • Transactional Outbox Patterns Step by Step With Spring and Kotlin
  • Replacing Apache Hive, Elasticsearch, and PostgreSQL With Apache Doris
  • Never Use Credentials in a CI/CD Pipeline Again

Trending

  • Scaling Site Reliability Engineering (SRE) Teams the Right Way
  • Transactional Outbox Patterns Step by Step With Spring and Kotlin
  • Replacing Apache Hive, Elasticsearch, and PostgreSQL With Apache Doris
  • Never Use Credentials in a CI/CD Pipeline Again
  1. DZone
  2. Coding
  3. Java
  4. Servlet Sessions and Automatic Login: Standard Java EE Might Not Be Enough For You

Servlet Sessions and Automatic Login: Standard Java EE Might Not Be Enough For You

Axel Rauschmayer user avatar by
Axel Rauschmayer
·
Jun. 19, 10 · Interview
Like (0)
Save
Tweet
Share
9.69K Views

Join the DZone community and get the full member experience.

Join For Free
Java servlet session management works well for basic requirements, but has limits when it comes to advanced features:
  • There is no standard global view of all the sessions, since HttpSession.getSessionContext() has been deprecated. If you want access to all sessions, you have to set up your own registry.
  • You have relatively little control of when the session expires. For example, there is no standardized way of accessing the session cookie and extending its lifespan beyond browser restarts.
  • Any kind of server access keeps the session alive: Long-pull is still a common technique for sending events from the server to the client and prevents a session from being inactive.

These kinds of limitations become relevant when you need to implement automatic login. There, you have the following options:

  • Store user name and password in a cookie: This is inherently unsafe and should never be done.
  • Let the browser remember user name and password: Firefox does this, but only for forms the exist at page load time. It is thus very complicated to get to work for Ajax dialogs.
  • Keep the session around longer: One needs to control session timeout (after a given period of inactivity) and possibly cookie expiration (the session ID is normally removed once one quits the browser).

Simple solution, standard Java EE:

  • During login, ask for the period of time one should stay logged in (if there is no activity).
  • On the server, use HttpSession.setMaxInactiveInterval(). Beware: Some servlet containers seem to create a new session when this method is invoked.
  • Problems: (1) Long-polling is registered as usage. (2) You cannot extend session lifespan beyond the next browser termination (because the cookie with the session ID will be removed).

Comprehensive solution, manual session management:

  • Manage your sessions yourself. The client initially receives a session ID from the server and then sends it with each request to the server. The login security FAQ [1] has more details.
  • It would be interesting to integrate this kind of session management with Google Guice which currently supports servlet sessions via a dedicated scope.

Related topics:

  • [1] Google has a nice login security FAQ.
  • [2] HttpSessionListener allows you to get notified of session creation and destruction.
  • [3] HttpSessionBindingListener can get you notified when a session expires (and is simpler than HttpSessionListener).
  • [4] “Google goodness: using GWT with Guice” (mentions session management with Guice).

From http://2ality.blogspot.com/2010/06/servlet-sessions-and-automatic-login.html

Session (web analytics) Java EE Java (programming language)

Opinions expressed by DZone contributors are their own.

Trending

  • Scaling Site Reliability Engineering (SRE) Teams the Right Way
  • Transactional Outbox Patterns Step by Step With Spring and Kotlin
  • Replacing Apache Hive, Elasticsearch, and PostgreSQL With Apache Doris
  • Never Use Credentials in a CI/CD Pipeline Again
Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com

Let's be friends: