ONJava.com -- The Independent Source for Enterprise Java
oreilly.comSafari Books Online.Conferences.


AddThis Social Bookmark Button

Pseudo Sessions for JSP, Servlets and HTTP
Pages: 1, 2, 3

The getSessionID Method

The getSessionID method has the following signature.

public String getSessionID(HttpServletRequest request)

This method should be called at the beginning of every JSP page. It does the following.

  • It assigns a new session identifier when a new user first visits the application.
  • It checks the validity of the session identifier carried in the URL. If the session identifier is not valid or has expired, the getSessionID method returns a new session identifier.

Thos method works in the following way.

String sessionId = request.getParameter("sessionId");

A flag is used to indicate whether or not the session identifier is a valid one. Initially the value of this flag is false.

boolean validSessionIdFound = false;

There is a long called now that contains server time when the request occurs. This will be used to determine the validity of the user session.

long now = System.currentTimeMillis();

If a session identifier is found, the method will check its validity by doing the following.

  • A valid session identifier must have a corresponding text file with the same name.
  • The last modified time of the text file must not be longer than the timeout. In other words, the file's last modified time plus timeOut must be less than the current time.
  • If a corresponding text file is found but has expired the old text file is deleted.
  • If the text file of a valid session identifier is found, its last modified time is updated, reflecting the current access to it.

This is done by using the File class that is constructed by passing the path to the session text file:

if (sessionId!=null) {
File f = new File(path + sessionId);
if (f.exists()) {
  if (f.lastModified() + timeOut > now) { // session valid
// with setLastModified, if the file is locked by other apps
// there won't be any exception but the file data does not change
validSessionIdFound = true;
  else { // session expired
   // delete the file
} // end if (f.exists)
  } // end if (sessionId!=null)

If a valid session identifier is not found, a session identifier is generated and a corresponding text file is created.

if (!validSessionIdFound) {
  sessionId = Long.toString(now);
  //create a file
  File f = new File(path + sessionId);
  try {
  catch (IOException ioe) {}
} // end of if !validSessionIdFound

A very simple random generator has been created by converting the system time (current) into the session identifier.

sessionId = Long.toString(now);

If your application contains sensitive data, you should consider implementing a more secure random number generator for session identifiers.

getSessionID does not usually return a valid session identifier. This could be the same as the session identifier passed to the method or it could be a newly generated session identifier.

return sessionId;

getSessionID should be invoked at the beginning of every JSP file to ensure that the page has a valid session identifier for URL rewriting (explained in the next section) and for invoking the setValue and getValue methods.

The setValue method

setValue is used to store a String value associated with a String called name. This name-value pair should remind you of a Dictionary. The setValue method also needs a valid session identifier for its first argument. It is assumed that the getSessionID method has been invoked before this method is called and so a validated session identifier is certain to exist. The session identifier passed to this method will not be validated again.

The setValue method effectively does the following.

  • If the String value is associated with a name that does not yet exist, the new name-value pair will be appended to the text file.
  • If the String value is associated with a name that already exists, the old value is replaced by the new value.

The setValue method stores the name-value pair in the following format.

name-1 value-1
name-2 value-2
name-3 value-3
name-n value-n

Like any other Java applications, name is case-sensitive.

The setValue method has the following signature.

public void setValue(String sessionId, String name, String value)

It first tries to find the corresponding session text file. If the file does not exist, the method will return without doing anything. If the session text file is found, the method will read every line of the text file and compare the line with name. If the line begins with name followed by a white space, it means the name already exists and the value is replaced. If the comparison does not result in a match, the line will simply be copied to the temporary file.

This functionality is achieved by the following code.

try {
  FileReader fr = new FileReader(path + sessionId);
  BufferedReader br = new BufferedReader(fr);

  FileWriter fw = new FileWriter(path + sessionId + ".tmp");
  BufferedWriter bw = new BufferedWriter(fw);

  String s;
  while ((s = br.readLine()) != null)
if (!s.startsWith(name + " ")) {
  bw.write(s); //write the line to the file
  bw.write(name + " " + value);



catch (FileNotFoundException e) {}
catch (IOException e) { System.out.println(e.toString());}

After all lines are copied into the temporary files, the original session text file is deleted and the temporary file is renamed the session text file.

File f = new File(path + sessionId + ".tmp");
File dest = new File(path + sessionId);

Pages: 1, 2, 3

Next Pagearrow