Geek Answers Handbook

Session Handling in a Java EE Application

Im is developing a system for processing financial transactions received by client systems of merchants, and this is a replacement for the existing system that we purchased from the supplier. The client interface should call up user authentication and transaction processing screens from our system.

The functionality of the system is as follows,

  • Get input parameters from sellers site.
  • Confirm it
  • User authentication (users are registered in our system, and we must call our login screen)
  • Process transaction
  • Return a reply to seller.

One response received by the client is to verify the transaction data from the values ​​in the session.

A system overview can be described as follows:

enter image description here

( click here for full size image )

My problem is that the client was unable to save the session when we respond to the client. But the same functionality can be achieved by the system that we purchased from the supplier (we do not have source code to analyze the internal coding structure). Hopefully something is wrong with how we respond to the client.

How can I solve this problem?

We use Java 1.4.2, the Websphere application server

+5
java servlets session
source share
1 answer

There are many things that can make a session disappear. I suggest tracking them and checking that everything is going right. This is easier to do if you understand how sessions work.

  • The session is over. Usually this value is 30 minutes. This is confirmed by <session-timeout> in web.xml , where you can specify a timeout in minutes. You can implement an HttpSessionListener to track session creation and destruction using a registrar.

  • The session was forcibly canceled. This happens when the code calls HttpSession#invalidate() . This can be tracked using the HttpSessionListener .

  • The session cookie has disappeared. Sessions support cookies. If the session was created, the server will add a Set-Cookie header with the session ID. The client must send the same cookie as the Cookie header in all subsequent requests on the (context) path, as indicated in the Set-Cookie header. This is monitored on the HTTP traffic monitor (Network tab) of the built-in browser toolkit of the browser (press F12 in Chrome / Firefox23 + / IE9 +). Cookies are available for all web applications in one cookie domain. Also, if ServletC2 works in a different webapp context than ServletC1 , then it will not use the same session. In addition, if the "server" web application is running in the same domain, then it could theoretically destroy all cookies of the "client" web application.

  • The client does not support cookies. A well-designed web application uses URL rewriting with jsessionid to track cookieless clients between requests on the same web application. But the second web application should do the same when redirecting back to the first web application.

+5
source share

More articles:


All Articles