Handling Sessions Without Cookies

Normally, JSP and servlet sessions rely on HTTP's cookie mechanism to preserve the session identifier between requests. Cookies are really nice for doing things such as helping to maintain sessions or online ordering. Unfortunately, cookies have also been abused. Many Web sites store personal information in cookies, and many Web users don't like their personal information being sent to another Web server without their knowledge. To put it simply, cookie abuse has given cookies a bad name.

Many users now disable cookies within their browsers. You might think that with cookies disabled, the only way to keep track of session information would be the hidden field technique discussed at the beginning of this hour. Fortunately, there is another solution.

Every session has an ID that uniquely identifies it. The Servlet API provides a way for you to insert a session ID into a URL. The idea is that for every URL in your Web application that refers to a servlet or a JSP, you insert the session ID as a parameter to that servlet or JSP. Because the session ID is normally stored in a cookie, you need to pass the session ID as a parameter only when cookies are disabled.

The HttpServletResponse object (the response object in a JSP) contains two methods to help you pass the session ID around to different pages:

public String encodeURL(String url);
public String encodeRedirectURL(String url);

If you need to do session tracking, but the browser doesn't support cookies, encodeURL and encodeRedirectURL return a modified URL containing the session ID as a parameter for that URL. If the browser supports cookies, the URL is returned unmodified. Listing 12.8 shows a JSP that presents a form, handles the submission of the form, and puts the form results into a session. It calls encodeURL and encodeRedirectURL to make sure that sessions are supported even with cookies turned off.

Listing 12.8 Source Code for RewriteDemo.jsp

<html>
<body>

<h1>URL Rewriting Demo</h1>

<%-- See if the session already contains the name.
    If so, say "Hello" to the user --%>

<%
    String name = (String) session.getAttribute("name");

    if (name != null)
    {
// This user already has a session; show the name and show the list of
// items entered.

        out.println("Hello, "+name+"!");
%>
        <A href="<%=response.encodeURL("RewriteDemo2.jsp")%>">
            Click here to continue</A>
<%

    }
// If name is passed in as a parameter, it must be as a response to
// the form input. Put the name in the session and redirect the browser
// to the second page.
    else if (request.getParameter("name") != null)
    {
        session.setAttribute("name",
            request.getParameter("name"));
        response.sendRedirect(response.encodeRedirectURL(
            "RewriteDemo2.jsp"));
    }
    else
    {
%>
<form action="<%=response.encodeURL("RewriteDemo.jsp")%>">
Please enter your name: <input type=text name="name">
<p>
<input type="submit" value="Login!">
</form>
<%
    }
%>

</body>
</html>

Listing 12.9 shows RewriteDemo2.jsp.

Listing 12.9 Source Code for RewriteDemo2.jsp

<html>
<body>
<H1>Hello <%=session.getAttribute("name")%>!</H1>
<p>
See, I still remembered your name.
</body>
<html>

Figure 12.6 shows the results of running RewriteDemo2.jsp, to which RewriteDemo.jsp redirects the user.

Unfortunately, to make full use of URL rewriting, you must pass all your pages through the URL rewriting process. In other words, if you have a static HTML page that needs session information and that has links to JSPs or servlets, you must turn this static HTML page into a JSP that uses encodeURL to rewrite the HREF values for all the hyperlinks. So, in your HTML file where you have a line such as

<a href="CallMe.jsp">

the JSP file would read

<a href="<%=response.encodeURL("CallMe.jsp")%>">

You also need to change the action attributes in each of your <form> tags. A <form> tag with an action of "HandleForm.jsp" appears in the JSP like this:

<form action="<%=response.encodeURL("HandleForm.jsp")%>">