Session tracking and URL encoding

In this post, you will learn:

  • What is URL encoding?
  • How session of different users is tracked by the server?
  • How to find out whether cookies are disabled in the client browser?

Session tracking by the server

In the last post you were told that a HttpSession object can be get created on the server for each user. Before that you were also told that the server doesn’t remember a client after a request is processed. Now the question arises, If a server doesn’t remember a client then how can it manage a HttpSession object for it? If hundred clients are interacting to a web site then there would hundred HttpSession objects on the server. How does the server know which HttpSession object is for which client?

To understand the solution used by the server for the session tracking lets take the following analogy. Lets assume that you have gone to a shopping mall directly from your office or college. You would not have roamed there with your office or college bags on your back. What have you done with them? Deposited at the baggage counter, yes? When you deposited your bag, the person at the counter didn’t bother to know you but returned your bag when you asked for it later, how?

You got it right! The person at the luggage counter has pairs of numbered tokens. With each luggage he puts a token of the pair and gives the other one to the owner. When the owner comes to collect the luggage, he gives the token using which the person identifies the luggage and returns it.

Similar mechanism is used by the server for session tracking. For each HttpSession object, a unique sessionId is generated by the server. The HttpSession object is stored by the server in a map with the sessionId as key. This sessionId is provided to the client with the help of a session cookie. With each subsequent request, this sessionId is received by the server from the client and is used to pick the HttpSesstion object of the client from the map.

If cookies are disabled in the client’s browser how can session tracking be done?

You know that cookies can be disabled from the browser. If they are disabled then the above mechanism will fail because the session cookie will not be returned by the client. In such situations, URL encoding is used. In URL encoding, sessionId is get appended to all the URL of the response page. Whenever a request is submitted using any of these URL, sessionId is made available to the server as request parameter.

How sessionId can be encoded to a URL?

HttpServletResponse interface provides following methods for URL encoding.

1. encodeURL(): This method encodes the specified URL by including the session ID in it, or, if encoding is not needed, returns the URL unchanged. Before encoding it checks whether browser supports cookies or not.

public String encodeURL(String URL);

1. encodeRedirectURL(): This method encodes the specified URL which is to be used in sendRedirect() method by including the session ID in it, or, if encoding is not needed, returns the URL unchanged. It also checks whether browser supports cookies or not.

public String encodeRedirectURL(String redirectionURL);

Practical example of URL encoding:

To test URL encoding, disable cookies from your browser. I have disabled the cookies in chrome by using following steps: settings->show advance settings…->Privacy->Content Settings…->Block sites from setting any data and Block third-party cookies and site data. The following image describes the Content setting dialog box of the chrome.


Now execute the application of last example in which we have used the HttpSession for state management. In the response page of the TourServlet you will receive null in place of user name as displayed in the following image.


Make the following changes to the WelcomeServlet. <a href=tourServlet>Take a tour</a> is replaced by <a href=”+response.encodeURL(“tourServlet”)+”>Take a tour</a>.

package com.techmentro.learningpad;

import javax.servlet.*;
import javax.servlet.http.*;

public class WelcomeServlet extends HttpServlet 
	public void doPost(HttpServletRequest request, 
			HttpServletResponse response)
			throws ServletException, IOException {
		//Value of name request parameter is read
		String user=request.getParameter("name");
		//HttpSession object is get created for the user
		HttpSession session=request.getSession();
		//user name is stored as attribute in the session scope.
		PrintWriter out=response.getWriter();
		out.println("Welcome, "+user);
		//A hyper link  is added to send the request to the tourServlet having encoded URL
		//If the cookies are disabled in the browser then sessionId will be added to the URL so that user's session can be tracked.
 Take a Tour");

Execute the application again with cookies disabled as before. In the response page of WelcomeServlet, hover the pointer over the hyper link to view its URL. You will notice that jsessionId parameter is appended to the URL as displayed in the following image.


Click on the Take a Tour link, you will receive the response of the TourServlet with proper user name as displayed by the following image.


Now enable the cookies as described by the following image.


Now send request to the WelcomeServlet again. The response page will have hyper link as before for tourServlet but no jsessionId will be appended to it as described by following images.


Click on the Take a Tour link again, you will receive the response of the TourServlet with proper user name as before. This time session cookie are used for session tracking.

If you like the post, then share it...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedIn

One thought on “Session tracking and URL encoding

  1. Nice Content!
    It is very helpful and authentic content on Java and the best one I ever found online on Java technology.Every one should read this nice and quality based content.

    Best of luck for your work!

Leave a Reply

Your email address will not be published. Required fields are marked *