Best Option for Session Management in Java

Http Session Management / Alternative Session Management (in Java)

I've figured this out, so I'll share my input.

When doing Http Session Management (especially with Servlets), one has to make sure that the client-side session management also exists.

What happens is that when a session is created, the servlet returns a cookie with JSESSIONID value of the Session created by the servlet container. Make sure that the client side is able to store the session and use it everytime you need to access your session data from the server.

I wasn't storing the cookie from my side, so it seemed like the session were never created.

Hope this helps someone else.

what method is used by httpSession for session management in Java

According to the servlet 2.4 specification:

Session tracking through HTTP cookies is the most used session
tracking mechanism and is required to be supported by all servlet
containers... To fulfill this requirement, Web containers commonly
support the URL rewriting mechanism.

session management in server application

1>should i maintain session in server application?if yes how?

Web-services are stateless means server does not store any state about the client session on the server side.You should manage the session on the client side, other wise you will end-up handling an heavy load of sessions on the server side and I am sure you don't want to do that.

2>should i do any validation in server side?

If by validation you mean data integrity, I think you will have to do it for the favor of data integrity and your application well being.

3>To validate user while login should i use spring security for that
or just comparing username and password in database is enough?

You can do both, using spring security is a good choice , and you will have to configure or build your own AuthentificationManager which will compare credentials withe those stored in the database

4>when user doesnot interact with server for particular time there
should be session timeout ,should this be implemented in sserver
application or client side?

You can set a session timeout , and this should be implemented on the client-side.

How to manage a User Session on a AWS server?

There are two main approaches to dealing with session state when you have multiple app servers that can handle requests:

1. Have your load balancer implement "sticky" sessions. Here, the load balancer sends all requests from the same client to the same app server. The session is maintained locally there and everything works as if there were only one app server. When an app server goes down, all sessions that were sticky to that server are lost.

2. Have a common session store that is available to all app servers. When an app server receives a request, it grabs the session state from the session store and when it is done modifying the session state for that request, it writes it back to the store. The session store might be a shared database or perhaps an in-memory cache that is accessed remotely by all app servers. If an app server goes down, no sessions are lost. However, there is additional overhead on each request to read/write the session across the network.

To decide which approach to use, you will need to consider the importance of not having sessions be killed when you lose a server, session state size, etc. In my opinion, a common session store is nearly always desirable as it is operationally much easier to handle - you can always whack a server whenever you want to without killing sessions.

I will not speculate on possible choices for products available to support the implementation, as that would be purely opinion-based and off-topic for this site. Suffice to say that there are lots of good options - the particular choice that will be right for you will depend on your specific requirements and expertise.

---

Related Topics