1.Traditional Ways to perform session tracking: User Authentication(getRemoteUser() ); Hidden Form Fields(<input type=hidden name="..." value="...">); URL Rewriting( some use java.rmi.server.UID().toString() to dentify unique one); Persistent Cookie.
2. Sessions are scoped at the web Application level.
3. setting the session timeout: in web.xml:<session-config> <session-timeout> value </session-timout> </session-config>. HttpSession.setMaxInactiveInterval(int secs) secs<0means never time outm
4. URL rewriting session tracking: HttpServletResponse.encodeURL(String url); HttpServletResponse.encodeRedirectURL(String url); HttpServletResponse.isRequestedSesssionIdValid();
5.session binding: session.addAttribute(key, new HttpSessionBindingListener());
HttpSessionBindingListener.valueBound()&HttpSessionBindingListener.valueUnbound() involk when bind&unbind