Invalidating the existing session and creating new session in servlets
To demonstrate these methods, Example 7-5 shows a servlet that manually invalidates a session if it is more than a day old or has been inactive for more than an hour. Behind the scenes, the session ID is usually saved on the client in a cookie or sent as part of a rewritten URL.
This method may use different rules than On servers that don't support URL rewriting or have URL rewriting turned off, the resulting URL remains unchanged. Then it continues on to display the current session's ID, whether it is a new session, the session's creation time, and the session's last access time.
Now here's a code snippet that shows a servlet redirecting the user to a URL encoded to contain the session ID: servlet shown in Example 7-7 uses most of the methods discussed thus far in the chapter to snoop information about the current session and other sessions on the server. Next the servlet displays whether the requested session ID (if there is one) came from a cookie or a URL and whether the requested ID is valid.
All URLs emitted by a servlet should be run through this method.
A server can build on this base to provide additional features and capabilities.
Other implementations, such as using SSL (Secure Sockets Layer) sessions, are also possible.
A servlet can discover a session's ID with the should be held as a server secret because any client with knowledge of another client's session ID can, with a forged cookie or URL, join the second client's session.
For example, a user's session object provides a convenient location for a servlet to store the user's shopping cart contents or, as you'll see in Chapter 9, "Database Connectivity", the user's database connection.
A servlet uses its request object's This method returns an array that contains the names of all objects bound to this session or an empty (zero length) array if there are no bindings.The Servlet API provides two methods to perform this encoding: This method encodes (rewrites) the specified URL to include the session ID and returns the new URL, or, if encoding is not needed or not supported, it leaves the URL unchanged.