5

I'm using the Scalatra framework to build a web application. The application relies on sessions, but I can't use session cookies (because technically there is only one user, which runs multiple sessions simultaneously).

Each session has a unique session key which I want to use as an identifier. I want this key to be sent as a GET or POST parameter instead of a cookie header.

My question now is: How can I store session information (i.e. a state) in a Scalatra servlet without cookies but just a parameter as identifier?

So far I tried to use the file system to store all session information, but this is too slow and unnecessary because the sessions only last a few seconds.

(Security is not an issue)

Waboodoo
  • 508
  • 4
  • 17

2 Answers2

5

I figured out how I can do it.

In every Scalatra servlet, I have access to the global servletContext which implements the javax.servlet.ServletContext interface. I can use its two methods setAttribute(x: String, y: Any) and getAttribute(x : String) to store information about my sessions, where x is my unique identifier and y is the session information encoded as a case class Session.

Effectively I have the following:

def storeSession(key : String, session : Session) {
    servletContext.setAttribute(attributePrefix + key, session)
}

def loadSession(key : String) : Session = {
    val session = servletContext.getAttribute(attributePrefix + key)
    if (session != null) {
        session match {
            case s : Session => s
            case _ => null
        }
    } else {
        null
    }
}

This way I can keep a state on the server, without using cookies, only a single unique identifier that the client has to provide as a GET value.

I guess this technique can be applied to any servlet in Java and Scala which provides an instance of ServletContext, not just Scalatra.

Waboodoo
  • 508
  • 4
  • 17
  • This is the quick-n-easy and default solution for storing "session data" when dealing with a Java servlet environment -- just what I was looking for. – Chris W. Jun 20 '13 at 00:39
  • How will you get the key? Will it be generated for each request? How it identify the session? – Rajeev Dec 24 '13 at 10:53
  • The key is generated for each new session (not every request) using a random number generator somewhere else in the code in my case. Any identifier that is unique can be used. – Waboodoo Dec 24 '13 at 13:29
  • What about session invalidating as a result of timeout? Do you run some scheduled task which checks which session was not used for a long time? – amorfis Jul 20 '15 at 11:37
  • In my case I had a separate Thread that would periodically remove old sessions (I had my session keys begin with a timestamp so I could tell how old they were), but there might be a better way to do this. – Waboodoo Jul 20 '15 at 13:23
1

Nice question.

Rather than storing state to disk and the performance hit that that entails, how about storing in-memory a la Redis?

There's a Scala implementation by debasishg, a heavy in the Scala community, which may fit the bill.

On the stateless side of the fence, in Spray, for example, this was suggested to me as alternate means to maintaining state server-side; i.e. store client cookie identifier to in-memory cache vs. relying on HttpSession

virtualeyes
  • 11,147
  • 6
  • 56
  • 91