Embed Size (px)
Citation preview
CSCI 6962: Server-side Design and Programming
Java Server FacesScoping and Session Handling
Outline
• Session handling concepts• Session scoping in managed beans– Creating a session bean– Information flow
• Session properties– Timeouts– Web.xml
• URL encoding
Sessions
• Session: Set of pages submitted by user to accomplish goal– Example: Most on-line shopping
Add to cartEnter
shipping information
Enter payment
informationReciept
Need for Session Handling
• Problem: No way to associate steps if multiple clients– Nothing built into the web allows server to know where a
request is coming from– Server may have to simultaneously manage thousands of
sessions
?
Session Handling
• Assign each new client unique ID at start of session. • Pass ID to client as part of each response
– Now client knows it as well– Stored as cookie by default
• Client passes ID back to server with subsequent requests– Server can associate this request can be associated with initial request.
• Server stores client data in table indexed by session ID
Client Serverinitial requestsession ID created for client
data associated with this clientresponse including
session ID
further requests include more data + session ID
session ID (stored as cookie)
Managed Bean Scoping
• Managed beans have scope– Set of pages that have access to the bean– “Period of time” for which Glassfish stores bean in memory
• Major types of scoping:– request: current page– session: all pages for single user (over given time)– application: all pages for all users
Creating Session Beans
• Scoping set at bean creation in NetBeans
Choose session scope
Session Creation
• When user first requests page– Create any new session beans used by page– Create unique JSessionID for this user– Associate beans with that JSessionID– Bean state then stored as string between access
Request for JSF page(initial form request)
JJSF JBean
JSessionID
Serialized form of bean
Browser
Passing Session to Client
• SessionID passed to client along with requested page– By default, stored in client-side cookie
Jhtml JSessionID
JJSF JBean
JSessionID
JSessionID
Cookies
Passing Session to Server
• At page submission, sessionID passed as part of request– Cookies associated with page automatically passed
Browser
JhtmlJSessionID JBean
JSessionID
JSessionID
Cookies
Retrieving Session
• Glassfish looks up session beans with matching ID• Form data loaded into that bean
set methodsForm
values
Browser
JhtmlJSessionID
JBean
JSessionID
JSessionID
Cookies
Session Handling in JSP
• Sessions can be accessed from both servlet and JSP– Servlet: Construct a new session object from the requestHttpSession session = request.getSession();
– JSP: Just use built-in session object which Tomcat creates from request (like request object)
Server
session ID created for client
data associated with this client
Servlet
Construct session object
JSP
Use session object
request : form data + session ID
Session Timeouts
• Sessions time out after specific period of inactivity– Inactivity = session bean not requested by any page– Goal: efficiency, security– If session expired, access creates new bean (with default
values instead of previous values)
• Session timeout property of web.xml file
Sessions and Cookies
• Default: JSessionID stored in cookie in client-side browser
• What if user disables cookies?
URL Encoding
• Pass session ID to the client as part of every response • Insure that client sends that session ID back to the
server as part of every request
Browser
Jhtml
JSessionIDJJSF
JBean
JSessionIDJSessionID
JSessionID
setForm values
URL Encoding
• JSessionID now passed in url
URL Encoding
• URL encoding done automatically in JSF if cookies not enabled• Can control whether URL encoding done using tracking-mode
tag in web.xml– Not currently supported in NetBeans
