Java Servlet

Java Servlet – Login and Logout with Session Management (Cookies, HttpSession, URL Rewriting)

Comments

Java Servlet – Login and Logout with Session Management (Cookies, HttpSession, URL Rewriting)

Session management is how web applications maintain state between HTTP requests. HTTP is stateless — each request is independent — so to keep a user "logged in" across pages, you need a mechanism to track their identity. Java Servlets support three approaches: Cookies, HttpSession, and URL Rewriting. This tutorial demonstrates all three with a complete login/logout example.

Why Three Approaches?

  • HttpSession — server-side storage, most secure, preferred for sensitive data (user roles, auth tokens)
  • Cookies — client-side storage in browser, useful for preferences and "remember me" features
  • URL Rewriting — embeds session ID in the URL, fallback when cookies are disabled

Project Structure


src/
├── com/java9r/servlet/
│   ├── LoginServlet.java
│   ├── LogoutServlet.java
│   └── DashboardServlet.java
└── webapp/
    ├── login.jsp
    ├── dashboard.jsp
    └── WEB-INF/web.xml

Method 1: HttpSession (Recommended)


package com.java9r.servlet;

import jakarta.servlet.*;
import jakarta.servlet.annotation.WebServlet;
import jakarta.servlet.http.*;
import java.io.IOException;

/**
 * Handles login by creating a server-side HttpSession.
 * Session data is stored on the server; client only holds a session ID cookie.
 */
@WebServlet("/login")
public class LoginServlet extends HttpServlet {

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse res)
            throws ServletException, IOException {

        req.setCharacterEncoding("UTF-8");
        String username = req.getParameter("username");
        String password = req.getParameter("password");

        // In a real app, validate against database
        if ("ravi".equals(username) && "java9r".equals(password)) {

            // Create or retrieve session (true = create new if none exists)
            HttpSession session = req.getSession(true);
            session.setAttribute("username", username);
            session.setAttribute("role",     "admin");
            session.setMaxInactiveInterval(30 * 60);  // 30 minutes timeout

            res.sendRedirect("dashboard");

        } else {
            req.setAttribute("error", "Invalid username or password.");
            req.getRequestDispatcher("login.jsp").forward(req, res);
        }
    }

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse res)
            throws ServletException, IOException {
        req.getRequestDispatcher("login.jsp").forward(req, res);
    }
}


package com.java9r.servlet;

import jakarta.servlet.annotation.WebServlet;
import jakarta.servlet.http.*;
import java.io.IOException;

@WebServlet("/logout")
public class LogoutServlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse res)
            throws java.io.IOException {

        HttpSession session = req.getSession(false);
        if (session != null) {
            session.invalidate();  // destroy the session and all its attributes
        }

        // Delete the session cookie manually (belt-and-suspenders)
        Cookie sessionCookie = new Cookie("JSESSIONID", "");
        sessionCookie.setMaxAge(0);  // 0 = delete immediately
        sessionCookie.setPath("/");
        res.addCookie(sessionCookie);

        res.sendRedirect("login");
    }
}


package com.java9r.servlet;

import jakarta.servlet.*;
import jakarta.servlet.annotation.WebServlet;
import jakarta.servlet.http.*;
import java.io.IOException;

@WebServlet("/dashboard")
public class DashboardServlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse res)
            throws ServletException, IOException {

        HttpSession session = req.getSession(false);  // false = don't create new

        // Security check: redirect to login if no valid session
        if (session == null || session.getAttribute("username") == null) {
            res.sendRedirect("login");
            return;
        }

        req.setAttribute("username", session.getAttribute("username"));
        req.setAttribute("role",     session.getAttribute("role"));
        req.getRequestDispatcher("dashboard.jsp").forward(req, res);
    }
}

login.jsp


<%@ page contentType="text/html;charset=UTF-8" %>
<!DOCTYPE html>
<html>
<head><title>Login – Java9R</title></head>
<body>
<h2>Login</h2>
<% if (request.getAttribute("error") != null) { %>
    <p style="color:red;"><%= request.getAttribute("error") %></p>
<% } %>
<form action="login" method="post">
    Username: <input type="text"     name="username" required /><br/>
    Password: <input type="password" name="password" required /><br/>
    <button type="submit">Login</button>
</form>
</body>
</html>

Method 2: Cookies


// Setting a cookie (e.g., to remember username for 7 days)
Cookie usernameCookie = new Cookie("username", username);
usernameCookie.setMaxAge(7 * 24 * 60 * 60);  // 7 days in seconds
usernameCookie.setPath("/");
usernameCookie.setHttpOnly(true);  // not accessible via JavaScript (XSS protection)
usernameCookie.setSecure(true);    // only sent over HTTPS
res.addCookie(usernameCookie);

// Reading a cookie
Cookie[] cookies = req.getCookies();
if (cookies != null) {
    for (Cookie cookie : cookies) {
        if ("username".equals(cookie.getName())) {
            String savedUsername = cookie.getValue();
            // pre-fill the login form, etc.
        }
    }
}

// Deleting a cookie
Cookie deleteCookie = new Cookie("username", "");
deleteCookie.setMaxAge(0);  // expire immediately
deleteCookie.setPath("/");
res.addCookie(deleteCookie);

Method 3: URL Rewriting


// URL rewriting appends the session ID to URLs
// Used as a fallback when the client has cookies disabled

// In the servlet, encode all URLs before putting them in responses:
String url    = res.encodeURL("dashboard");    // for regular links
String urlRed = res.encodeRedirectURL("login"); // for redirects

// When cookies are enabled, encodeURL() returns the URL unchanged.
// When cookies are disabled, it appends: ;jsessionid=ABC123DEF456

// Example output with cookies disabled:
// dashboard;jsessionid=8A2B3C4D5E6F

Session Security Best Practices

  • Use HTTPS: Session IDs sent over plain HTTP can be intercepted (session hijacking)
  • Regenerate session after login: Call session.invalidate() then create a new session to prevent session fixation attacks
  • Set a timeout: session.setMaxInactiveInterval(1800) — automatically expire idle sessions
  • HttpOnly cookies: Mark session cookies as HttpOnly to prevent JavaScript access
  • Don't store passwords in session: Only store usernames, roles, and user IDs

// Secure session regeneration after successful login (prevents session fixation)
HttpSession oldSession = req.getSession(false);
if (oldSession != null) {
    oldSession.invalidate();  // destroy old session
}
HttpSession newSession = req.getSession(true);  // create fresh session
newSession.setAttribute("username", username);

Comparison

Method Storage Security Works if cookies disabled?
HttpSession Server High No (unless combined with URL rewriting)
Cookies Browser Medium No
URL Rewriting URL Low (ID visible in logs/bookmarks) Yes

Summary

For login/logout session management, HttpSession is the standard and most secure approach. Cookies are used alongside sessions for features like "remember me" or user preferences. URL rewriting is a last resort for environments where cookies are disabled. Always use HTTPS, mark sensitive cookies as HttpOnly and Secure, regenerate the session ID after login to prevent session fixation, and call session.invalidate() on logout to ensure complete cleanup.

Topics: Java Servlet
← Newer Post Older Post →

Comments

https://www.blogger.com/comment/frame/6690124484600543990?po=3425346087398334035&hl=en&saa=85391&origin=https://www.java9r.com