Invalidating the existing session and creating new session in servlets

Posted by / 13-Aug-2019 22:16

Note that installing this servlet is a security risk, as it exposes the server's session IDs--these may be used by unscrupulous clients to join other clients' sessions.

Many web servers also support session tracking based on URL rewriting, as a fallback for browsers that don't accept cookies. For a servlet to support session tracking via URL rewriting, it has to rewrite every local URL before sending it to the client.

For example, the Java Web Server has the ability to revert to using URL rewriting when cookies fail, and it allows session objects to be written to the server's disk as memory fills up or when the server shuts down.

(The items you place in the session need to implement the interface to take advantage of this option.) See your server's documentation for details pertaining to your server.

This method may use different rules than On servers that don't support URL rewriting or have URL rewriting turned off, the resulting URL remains unchanged. Then it continues on to display the current session's ID, whether it is a new session, the session's creation time, and the session's last access time.

Now here's a code snippet that shows a servlet redirecting the user to a URL encoded to contain the session ID: servlet shown in Example 7-7 uses most of the methods discussed thus far in the chapter to snoop information about the current session and other sessions on the server. Next the servlet displays whether the requested session ID (if there is one) came from a cookie or a URL and whether the requested ID is valid.

invalidating the existing session and creating new session in servlets-2invalidating the existing session and creating new session in servlets-68invalidating the existing session and creating new session in servlets-68

The Servlet API provides two methods to perform this encoding: This method encodes (rewrites) the specified URL to include the session ID and returns the new URL, or, if encoding is not needed or not supported, it leaves the URL unchanged.

One thought on “invalidating the existing session and creating new session in servlets”