The three mechanisms of client-side session management are HTTP Cookies, URL rewritting and HTML hidden form fields. Servlet 3.0 provides following new features in session management.
Session tracking cookie name
The session tracking HTTP cookie should be named as JSESSIONID by all Servlet 3.0 compliant servlet containers. Some servlet containers such as Tomcat may allow customizing this name. This cookie stores the session Id on the client browser which is returned to the server on every request made to the server during the session life-time.
HttpOnly Cookies
HttpOnly cookies cannot be accessed from client-side scripting code provided the browsers support the HttpOnly flag. Some Cross-Site Scripting (XSS) attacks are mitigated by HttpOnly cookies. The malicious scripts injected in trusted websites cannot read and modify the HttpOnly cookies and thus the sensitive information stored in HTTP cookies can be protected from theft and misuse.
Servlet 3.0 API allows creation of HttpOnly cookies by providing setHttpOnly()
method on Cookie
class. HttpOnly cookies can also be configured in web.xml as follows:
<session-config> <cookie-config> <http-only>true</http-only> </cookie-config> </session-config>
Sending HTTP cookies only on SSL
The communication between client and server on Server Socket Layer (SSL) is done over a secured connection. The data transmitted between server and client on SSL is always encrypted. SSL provides two-way encryption. HTTP cookies can be configured to be transmitted only on SSL in Servlet 3.0 by using the following configuration in web.xml. This enables encryption of cookies. The SSL should be enabled on the web server to use this feature.
<session-config> <cookie-config> <secure>true</secure> </cookie-config> </session-config>
Configure session tracking mechanism
The session tracking mechanism can be defined in web.xml using <tracking-mode> in Servlet 3.0. Its values can be COOKIE, URL or SSL. The JSESSIONID HTTP cookie is created when the tracking mode is set as COOKIE. The name of this cookie can be customized in some web servers. The session Id is passed as a URL parameter when the tracking mode is URL. The name of URL parameter is jsessionid. If the session tracking cookie name is customized, the same name will be used as session Id parameter name in URL. The session Id can be passed on SSL using tracking mode as SSL.
<session-config> <tracking-mode>COOKIE</tracking-mode> </session-config>