|
INTERACTIVE WEB SERVICES WITH JAVA
|
|
Session Tracking
HTTP is stateless, but interactive Web services require
user sessions.
A session is a sequence of related interactions between a client and a server:
In general, Web services have three kinds of data:
- shared data - global data, shared between all sessions
- per-session data - local data, private to each session
- temporary data - only used for a single interaction
Techniques for implementing sessions on top of HTTP:
- URL rewriting
Add user/session data to all URLs referring to the session:
http://mysite.com/buy;customer=wile_e_coyote
or
http://mysite.com/buy;session=117
- hidden form fields
Include
<input type="hidden" name="customer" value="wile_e_coyote">
in the response page.
- Cookies - allowing servers to store and access data at clients
A cookie contains:
- name
- value
- expiration time
- domain (default: server name)
- path (sub-domain)
- secure flag (should only be transmitted via SSL)
- max 4KB, 20 per server, 300 total (for each browser)
How it works:
- servers create cookies by response headers:
Set-Cookie: customer=wile_e_coyote; path=/; expires=Wednesday, 09-Nov-99 23:12:40 GMT
- clients include the relevant cookies in subsequent requests:
Cookie: customer=wile_e_coyote
based on the request URL and the cookie domain and path
Problems:
- not a security threat, but perhaps a privacy threat (the user is typically not aware of the cookies)
- users may disable cookies
- not easy for users to move a cookie to another machine
Benefit:
- for some services, cookies can store all session data (e.g. "shopping basket" applications)
- session URL (unique to JWIG!)
- every session is associated a unique and persistent URL
- explained later...
|
COPYRIGHT © 2002-2003
ANDERS MØLLER & MICHAEL I. SCHWARTZBACH
|
|