<img alt="" src="https://secure.leadforensics.com/150446.png " style="display:none;">
Go to top icon

Hit enter to search or ESC to close

e-Zest members share technology ideas to foster digital transformation.

New Session Management Features In Servlet 3.0

Madhura Oak Jul 03, 2012

Servlet 3.0 Session Management HttpOnly HTTP Cookie SSL Session Tracking Technology

The three mechanisms of client-side session management are HTTP Cookies, URL rewritting and HTML hidden form fields. Servlet 3.0 provides following new features in session management.

Session tracking cookie name

The session tracking HTTP cookie should be named as JSESSIONID by all Servlet 3.0 compliant servlet containers. Some servlet containers such as Tomcat may allow customizing this name. This cookie stores the session Id on the client browser which is returned to the server on every request made to the server during the session life-time.

HttpOnly Cookies

HttpOnly cookies cannot be accessed from client-side scripting code provided the browsers support the HttpOnly flag. Some Cross-Site Scripting (XSS) attacks are mitigated by HttpOnly cookies. The malicious scripts injected in trusted websites cannot read and modify the HttpOnly cookies and thus the sensitive information stored in HTTP cookies can be protected from theft and misuse.

Servlet 3.0 API allows creation of HttpOnly cookies by providing setHttpOnly() method on Cookie class. HttpOnly cookies can also be configured in web.xml as follows:

&lt;session-config&gt;
	&lt;cookie-config&gt;
		&lt;http-only&gt;true&lt;/http-only&gt;
	&lt;/cookie-config&gt;
&lt;/session-config&gt;

Sending HTTP cookies only on SSL

The communication between client and server on Server Socket Layer (SSL) is done over a secured connection. The data transmitted between server and client on SSL is always encrypted. SSL provides two-way encryption. HTTP cookies can be configured to be transmitted only on SSL in Servlet 3.0 by using the following configuration in web.xml. This enables encryption of cookies. The SSL should be enabled on the web server to use this feature.

&lt;session-config&gt;
	&lt;cookie-config&gt;
		&lt;secure&gt;true&lt;/secure&gt;
	&lt;/cookie-config&gt;
&lt;/session-config&gt;

Configure session tracking mechanism

The session tracking mechanism can be defined in web.xml using <tracking-mode> in Servlet 3.0. Its values can be COOKIE, URL or SSL. The JSESSIONID HTTP cookie is created when the tracking mode is set as COOKIE. The name of this cookie can be customized in some web servers. The session Id is passed as a URL parameter when the tracking mode is URL. The name of URL parameter is jsessionid. If the session tracking cookie name is customized, the same name will be used as session Id parameter name in URL. The session Id can be passed on SSL using tracking mode as SSL.

&lt;session-config&gt;
	&lt;tracking-mode&gt;COOKIE&lt;/tracking-mode&gt;
&lt;/session-config&gt;

Similar Blog

Oracle NoSQL Database (ONDB)
Oracle NoSQL Database (ONDB)

Relational databases have been around us for more than 20 years now. Needless to say, they are mature and an obvious choice for ...

By Madhura Oak Dec 24, 2013
Session State Isolation Techniques
Session State Isolation Techniques

Isolation of data in a session is the trickiest part of session management. A session may constitute of multiple requests. ...

By Madhura Oak Dec 02, 2013
Session Management
Session Management

There are three ways of session management in n-tier applications:

By Madhura Oak Nov 27, 2013
Transaction and Query timeout
Transaction and Query timeout

Performance is one of the non-functional requirements of an application. It defines the acceptable maximum response time for ...

By Madhura Oak Nov 25, 2013
Multiple Inheritance in Domain Model Design
Multiple Inheritance in Domain Model Design

While using multiple inheritance in domain model design you need to be cautious as programming languages such as Java do not ...

By Madhura Oak Nov 13, 2013

Helping Organizations Thrive in the Digital Age

Contact Us
  • Dallas
  • Detroit
  • Hannover
  • Vienna
  • London
  • Pune
© 2024 e-Zest Solutions
Contact us

e-Zest is a leading digital innovation partner for enterprises and technology companies that utilizes emerging technologies for creating engaging customers experiences. Being a customer-focused and technology-driven company, it always helps clients in crafting holistic business value for their software development efforts. It offers software development and consulting services for cloud computing, enterprise mobility, big data and analytics, user experience and digital commerce.