Download (direct link):
Table 25.1 HttpSession Interface
I METHOD DESCRIPTION I
long getCreationTime() Returns the time at which this session was created.
String getId() Returns the unique identifier assigned to this session.
long getLastAccessedTime() Returns the last time the current client requested the session.
int getMaxInactiveInterval() Returns the maximum interval between requests that the session will be kept by the server.
Object getValue(String) Returns a data object stored in the session represented by the parameter String. See putValue().
String getValueNames() Returns an array of all names of data objects stored in this session.
void invalidate() Causes this session to be invalidated and removed.
boolean isNew() Returns true if the session has been created by the server but the client hasn't acknowledged joining the session; otherwise, it returns false.
void putValue(String, Object) Assigns (binds) a data object to correspond with a String name. Used for storing session data.
222 Item 25
Table 25.1 HttpSession Interface (Continued)
I METHOD DESCRIPTION I
void removeValue(String) Removes the data object bound by the String-represented name created with the putValue() method.
void setMaxInactiveInterval() Sets the maximum interval between requests that the session will be kept by the server.
The API of the interface is quite simple. The most-used methods are getValue() and putValue(), where it is possible to save any Java object to the session. This is very helpful if you are developing an application that needs to save state information on the server between requests. In discussing this pitfall, we will discuss the use of this class in depth.
How does a servlet get access to the HttpSession object? The servlet's request object (HttpRequest) that is passed into the servlet's doGet() and doPost() methods contains a method called getSession() that returns a class that implements HttpSession. Listing 25.1 shows a good example of the doGet() method in a servlet using the HttpSession class. This block of code originates from our hardware store scenario discussed at the beginning of this pitfall. Notice that in line 6 of the listing, the servlet calls getSession() with the boolean parameter true. This creates an HttpSession if it doesn't already exist. On line 13, the user checks to see if the session is a new one (or if the client has never interacted with the session) by calling the isNew() method on HttpSession.
01 public void doGet(HttpServletRequest request,
02 HttpServletResponse response)
03 throws ServletException, IOException
05 PrintWriter out;
06 HttpSession session = request.getSession(true);
07 Vector shoppingcart = null;
10 out = response.getWriter();
12 out.println("<BODY BGCOLOR='WHITE'>");
13 if (session.isNew())
15 out.println("<H1>Welcome to Stockman Hardware!</H1>");
16 out.println("Since you're new.. we'll show you how ");
17 out.println(" to use the site!");
Listing 25.1 Block of servlet code using HttpSession
When Servlet HttpSessions Collide 223
22 String name = (String)session.getValue("name");
23 shoppingcart = (Vector)session.getValue("shoppingcart");
24 if (name != null && shoppingcart != null)
26 n( l t n i r .p t. u o ’<H1>Welcome back, ” + name + "!</H1>");
27 n( l t n i r .p t. u o ’You have ” + shoppingcart.size() + ” left ”
28 + ’ in your shopping cart!");
32 //more code would follow here..
Listing 25.1 (continued)
On line 23, we see that the getValue() method is called on HttpSession to retrieve a String representing the name of the user and also a vector representing the user's shopping cart. This means that at one time in the session, there was a scenario that added those items to the session with session.putValue(), similar to the following block of code:
String myname="Scott Henry";
Vector cart = new Vector();
cart.add("Belt sander ID#21982");
cart.add(”Drill press ID#02093");
cart.add(”Air compressor ID#98983");
In fact, the preceding block of code was made to follow the scenario we discussed at the beginning of this pitfall. Everything seems to follow the way the documentation describes the HttpSession API in Table 25.1. What could go wrong?
As we discussed earlier, an HttpSession exists between a browser and a servlet engine that persists for a period of time. If the values name and shoppingcart are placed to represent data objects in the HttpSession, then this session will exist for every servlet-based application on the server. What could this mean? If there are multiple servlet applications running on your server, they may use values such as name and shoppingcart to store persistent data objects with HttpSession. If, during the same session, the user of that session visits another servlet application on that server that uses