Servlet sessions and automatic login: standard Java EE might not be enough for you

Java servlet session management works well for basic requirements, but has limits when it comes to advanced features:

• There is no standard global view of all the sessions, since HttpSession.getSessionContext() has been deprecated. If you want access to all sessions, you have to set up your own registry.
  
  


• You have relatively little control of when the session expires. For example, there is no standardized way of accessing the session cookie and extending its lifespan beyond browser restarts.
  
  


• Any kind of server access keeps the session alive: Long-pull is still a common technique for sending events from the server to the client and prevents a session from being inactive.
  
  

These kinds of limitations become relevant when you need to implement automatic login. There, you have the following options:

• Store user name and password in a cookie: This is inherently unsafe and should never be done.
  
  


• Let the browser remember user name and password: Firefox does this, but only for forms the exist at page load time. It is thus very complicated to get to work for Ajax dialogs.
  
  


• Keep the session around longer: One needs to control session timeout (after a given period of inactivity) and possibly cookie expiration (the session ID is normally removed once one quits the browser).
  
  

Simple solution, standard Java EE:

• During login, ask for the period of time one should stay logged in (if there is no activity).


• On the server, use HttpSession.setMaxInactiveInterval(). Beware: Some servlet containers seem to create a new session when this method is invoked.
  
  


• Problems: (1) Long-polling is registered as usage. (2) You cannot extend session lifespan beyond the next browser termination (because the cookie with the session ID will be removed).
  
  

Comprehensive solution, manual session management:

• Manage your sessions yourself. The client initially receives a session ID from the server and then sends it with each request to the server. The login security FAQ [1] has more details.


• It would be interesting to integrate this kind of session management with Google Guice which currently supports servlet sessions via a dedicated scope.
  
  

Related topics:

• [1] Google has a nice login security FAQ.


• [2] HttpSessionListener allows you to get notified of session creation and destruction.


• [3] HttpSessionBindingListener can get you notified when a session expires (and is simpler than HttpSessionListener).


• [4] “Google goodness: using GWT with Guice” (mentions session management with Guice).