There are a number of problems that arise from the fact that HTTP is the "stateless" protocol. In particular, when you are doing the on-line shopping, it is a real annoyance that the Web server can't easily remember previous transactions. This makes the applications like shopping carts very problematic: when you add an entry to your cart, how does the server know what's already in your cart? Even if servers did retain contextual information, you'd still have the problems with e-commerce. When you move from the page where you specify what you want to buy (hosted on the regular Web server) to the page that takes your credit card number and shipping address (hosted on the secure server that uses SSL), how does the server remember what you were buying?

There are four types of techniques used in servlet to handle the session which are as follows:

1.URL Rewritting

2.Hidden Form Fieds

3.Http Session

4.Secure Socket Layer(SSL)

You can append some extra data on the end of the each URL that identifies the session, and the server can associate that session identifier with data it has stored about that session only. This is also an excellent solution, and even has advantage that it works with the browsers that don't support cookies or where the user has disabled cookies. However, it has most of same problems as cookies, namely that the server-side program has a lot of straightforward but tedious processing to do. In addition, you have to be very careful that every URL returned to user (even via indirect means like Location fields in server redirects) has the extra information appended. And, if the user leaves session and comes back via a bookmark or link, the session information can be lost.

HTML forms have an entry that looks like following: <input type="hidden" name="session" value="...">. This means that, when the form is submitted, the specified name and value are included in GET or POST data. This can be used to store information about the session. However, it has the major disadvantage that it only works if every page is dynamically generated, since the whole point is that each session has the unique identifier.

The HttpSession interface is implemented by the services to provide an association between an HTTP client and HTTP server. This association, or session, persists over multiple connection and/or requests during a given time period. Sessions are used to maintain the state and user identity across multiple page requests.

A session can be maintained either by using the cookies or by URL rewriting. To expose whether the client supports cookies, HttpSession defines the isCookieSupportDetermined method and an isUsingCookies method.

HttpSession defines the methods which store these types of data:

• Standard session properties, such as an identifier for the session, and the context for the session.
• Application layer data, accessed using this interface and stored using the dictionary-like interface.

The Secure Sockets Layer protocol, or SSL, sits between application-level protocol (in this case HTTP) and the low-level transport protocol (for the Internet, almost exclusively TCP/IP). It handles the details of the security management using public key cryptography to encrypt all client/server communication. SSL was introduced by Netscape with Netscape Navigator 1. It has since become the de facto standard for the secure online communications and forms the basis of he Transport Layer Security (TLS) protocol currently under development by the Internet Engineering Task Force.

SSL Version 2.0, the version first to gain the widespread acceptance, includes support for server certificates only. It provides the authentication of the server, confidentiality, and integrity. Here's how it works:

• A user connects to the secure site using the HTTPS (HTTP plus SSL) protocol. (You can detect sites using the HTTPS protocol because their URLs begin with https: instead of http:.)





• The server signs its public key with its private key and sends it back to browser.





• The browser uses server's public key to verify that the same person who signed the key actually owns it.





• The browser check to see whether a trusted certificate authority signed the key. If one didn't, the browser asks the user if the key can be trusted and proceeds as directed.





• The client generates a symmetric ( DES) key for session, which is encrypted with the server's public key and sent back to the server. This new key is used to encrypt all the subsequent transactions. The symmetric key is used because of high computational cost of public key cryptosystems