One of the most powerful features offered in servlets is support for sessions, a means of monitoring a user over time as a servlet is being used. Normally, the Web is a stateless protocol, which means that there’s no easy way to follow a user around from page to page. A client web browser requests a URL from a server, receives the file associated with that URL, and then is completely forgotten by the server. Nothing is done to track what a specific user does over a period of time on a website. This information isn’t important if you’re just offering a collection of static pages, but it’s essential for many web applications. This is especially true in e-commerce: An online store needs to know which items you’ve added to your shopping cart when it’s time to calculate your bill, the final total needs to be remembered when a charge must be applied to your credit card, and so on. Servlets can retain the state of a user through the use of HttpSession, a class that represents sessions. There can be one session object for each user running your servlet. Sessions are created, deleted, and maintained behind the scenes by the server running the servlet. A user’s session can be created or retrieved by calling the getSession(Boolean) method of the servlet’s request object. Use an argument of true if a session should be created when one doesn’t already exist for the user, as in this example for an HttpRequest object named req:
HttpSession state = req.getSession(true);
A session object must be accessed in this manner before any servlet output has been composed by calling a response object’s methods. You can find out whether the session is newly created by calling its isNew() method, which returns true under that circumstance. If you need to keep track of something as a user employs your servlet, it can be stored in the session object. The session object can hold objects in a manner comparable to a Vector, one of the data structures described on Day 8, “Data Structures.” Objects held by a session are called its attributes. Call the session’s setAttribute(String, Object) method with two arguments: a name to give the attribute and the object. To retrieve an attribute, call the getAttribute(String) method with its name as the only argument. It returns the object, which must be cast from Object to the desired class, or null if no attribute of that name exists.
To remove an attribute when it’s no longer needed, call removeAttribute(String) with its name as the argument. This method does not return null if the attribute does not exist; instead, it simply does nothing. All three methods throw IllegalStateException exceptions if the session is no longer valid. This can occur if the session was deleted by the server before the request was made, some kind of error prevented sessions from being maintained, or similar reasons. Today’s next project uses sessions to track whether a user has provided login information to the servlet yet, as shown in Figure 21.3.
· A servlet that’s used to log in a user, authenticating that the person has a valid username and password, can be loaded under three different circumstances:
· The servlet is run before the user logs in. A form must be provided so that the user can provide a username and password.
· The servlet is run to log in. The username and password provided by the user must be authenticated in some manner, presumably by checking a database.
· The servlet is run after a user logs in.
· To know what has happened before, which is necessary in all these circumstances, sessions are used.
The LoginServlet program handles user logins with three session attributes: username, password, and loggedIn, a Boolean object that is true when the user has logged in and false otherwise. The source code is shown in Listing 21.3.
When the servlet is loaded for the first time in a web browser, it presents a form as shown earlier in Figure 21.3. Filling out the form and clicking the Submit button displays a page that has the text “Logging in” and a Reload Page hyperlink. Clicking the hyperlink loads a page with a greeting such as the following: Welcome back, rcade You last visited on Sat Feb 29 18:04:45 EST 2007 The servlet does not contain any code to check whether the provided username and password are valid. It simply stores them in a session so that they’re available when the servlet is run again subsequently.
