Servlet – HttpSession Login and Logout Example
Last Updated :
13 Jan, 2022
In general, the term “Session” in computing language, refers to a period of time in which a user’s activity happens on a website. Whenever you login to an application or a website, the server should validate/identify the user and track the user interactions across the application. To achieve this, Java Web Server supports the servlet standard session interface, called HttpSession, to perform all the session-related activities.
HttpSession Interface
Java servlets has HttpSession(I) in javax.servlet.http package. This interface provides a way to identify a user across more than one-page requests or visit a Website. Servlet container uses this interface to create a session between an HTTP client and an HTTP server and stores information about that user. It provides various methods to manipulate information about a session such as,
- To bind a session object with a specified user.
- To get the creation time.
- To know the last time, the user had accessed the website in that session.
- To invalidate the session etc.
Creating a Session
Once the user login to the website, we need to create a new session. To do this, we need to use getSession() method in HttpServletRequest Interface.
1) HttpSession getSession():
Java
HttpSession session = request.getSession();
|
This method returns the current session associated with this request. If the request does not have a session, it creates one. We can also create a session using getSession(boolean create) method in HttpServletRequest Interface.
2) HttpSession getSession(boolean create):
We can pass the boolean parameters – true or false.
getSession(true):
Java
HttpSession session = request.getSession(true);
|
This method is the same as getSession(), where it returns the current session associated with this request. If the request does not have a session, it creates one.
getSession(false):
Java
HttpSession session = request.getSession(false);
|
This method returns the current session associated with this request. If the request does not have a session, it returns null.
Invalidating the session
Once the user requests to logout, we need to destroy that session. To do this, we need to use invalidate() method in HttpSession Interface.
void invalidate():
Java
HttpSession session = request.getSession();
session.invalidate();
|
When this invalidate method is called on the session, it removes all the objects that are bound to that session.
Servlet Login-Logout Example
We will create a basic Servlet program to display a welcome message for the validated users.
Steps to create the program:
- Create “Dynamic Web Project – Servlet_LoginLogout” in Eclipse.
- Under WEB-INF folder, create a JSP page – “login.jsp” to get the login credentials of the user.
- Under src folder, create a Servlet – “LoginServlet.java” to process the login request and generate the response.
- Under WEB-INF folder, create a JSP page – “welcome.jsp” to display the welcome message to the user.
- Under src folder, create a Servlet – “LogoutServlet” to process the logout request and generate the response.
- Run the program using “Run As -> Run on Server”.
Project Structure
login.jsp
HTML
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Login Page</title>
</head>
<body>
<form action="login" method="post">
<h3>Enter Login details</h3>
<table>
<tr>
<td>User Name:</td>
<td><input type="text" name="usName" /></td>
</tr>
<tr>
<td>User Password:</td>
<td><input type="password" name="usPass" /></td>
</tr>
</table>
<input type="submit" value="Login" />
</form>
</body>
</html>
|
- In “login.jsp”, we have 2 fields, User Name, and Password.
- User Name input type is specified as “text”, which means text field.
- Password field input type is specified as “password” so that when the user enters the password field, it hides the letters as dots.
- We have formed with action “login” and method “post” so that when this form is submitted, it maps with the LoginServlet which is having the same URL mapping, and executes the “doPost” method of that servlet.
LoginServlet.java:
Java
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
@WebServlet("/login")
public class LoginServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
public LoginServlet() {
super();
}
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
HttpSession session = request.getSession();
String user = request.getParameter("usName");
String password = request.getParameter("usPass");
if (password.equals("geek")) {
session.setAttribute("user", user);
response.sendRedirect("welcome.jsp?name=" + user);
}
else {
RequestDispatcher rd = request.getRequestDispatcher("login.jsp");
out.println("<font color=red>Password is wrong.</font>");
rd.include(request, response);
}
out.close();
}
}
|
- In “LoginServlet.java”, we are using annotation “@WebServlet(“/login”)” to map the URL request. You can also specify this mapping for the servlet using Deployment descriptor – web.xml.
- As we learned, get the session object of HttpSession. If the request does not have a session, it creates a session and returns it.
- Here, we need to get the user details that are passed through the request, Name, and Password using “getParameter()” on the request object.
- For simplicity, we are just validating the password field. So, the User name can be anything but the Password must be”geek”.
- Validate the password and if it is correct, set this attribute value in session and redirect the page to display the welcome message.
- If the entered password is incorrect, display an error message to the user in the login screen using the Print writer object.
welcome.jsp:
HTML
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Welcome Page</title>
</head>
<body>
<form action="logout" method="get">
<h2>
Hello
<%=request.getParameter("name")%>!
</h2>
<h3>Welcome to GeeksforGeeks..</h3>
<br> <input type="submit" value="Logout" />
</form>
</body>
</html>
|
- On the Welcome page, display the user name and a welcome message.
- We have a form with action “logout” and method “get” so that when this form is submitted, it maps with the LogotServlet which is having the same URL mapping, and executes the “doGet” method of that servlet.
LogoutServlet.java:
Java
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@WebServlet("/logout")
public class LogoutServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
public LogoutServlet() {
super();
}
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
PrintWriter out = response.getWriter();
response.setContentType("text/html");
System.out.println("Session before invalidate: "+ request.getSession(false));
request.getSession(false).invalidate();
System.out.println("Session after invalidate: "+ request.getSession(false));
out.println("Thank you! You are successfully logged out.");
out.close();
}
}
|
- Here also, we are using the annotation “@WebServlet(“/logout”)” to map the URL request.
- When the user clicks on Logout, we need to destroy that session. So, call the “invalidate()” method on that session object.
- For our understanding, we can print the session object value in the console to see if the session is invalidated.
- As we learned, “getSession(false)” returns the current session on request if it exists, if not it returns null. So, after invalidating the session, it should print null in the console.
- Finally, print the success message to the user.
Output:
- Run the program on the server.
- URL: http://localhost:8081/Servlet_LoginLogout/login.jsp
Login Page
- The browser displays the Login page.
Login with User details
- Enter the user name and password and click on Login.
- Give the Password as “geek” as we are validating against it, if not it throws an error like below.
Incorrect_password
- Enter the correct credentials and log in.
Welcome Page
- The User name which we set in the session object is displayed with a welcome message.
- Click on Logout.
Logout_success
- Now, if you check the console, it prints the session object values.
Console
- As you can see, “getSession()” returned the existing session object.
- After the invalidate method, as there is no session, it returned “null”.
Alternative methods to logout the user
1) In the above example, we have used the “invalidate()” method, you can also use the “removeAttribute(String name)” method in HttpSession Interface.
Java
HttpSession session = request.getSession();
session.removeAttribute("user");
|
This method removes the object bound with the specified name, in this example – “user” from this session. If the session does not have an object bound with the specified name, it does nothing. So, instead of the “invalidate()” method, you can use the “removeAttribute(String)” to logout the user from the session.
2) In the above example, we invalidated the session manually. If you want, you can also specify the session for time out automatically after being inactive for a defined time period.
“void setMaxInactiveInterval(int interval)”:
Java
HttpSession session = request.getSession();
session.setMaxInactiveInterval(100);
|
This method specifies the time, in seconds, between client requests before the servlet container will invalidate this session. Here, as we specified the value “100”, the session will be invalidated after 100 seconds of inactive time from the user. Servlet container will destroy the session after 100 seconds of inactive – Session timeout.
Conclusion
In this way, you can maintain a session for a specific user/client and can implement Login and Logout for applications using HttpSession Interface methods based on the requirements.
Like Article
Suggest improvement
Share your thoughts in the comments
Please Login to comment...