Session tracking is a concept which allows you to maintain a relation between 2 successive requests made to a server on the Internet. Whenever a user browses any website, he/she make a request to server via HTTP to get data from that server/website. While the data is transferred from server to client (in this case it is a web browser) no state (data/attribute) is stored on server side about client requests.

Reason for that is, because HTTP is a stateless (means no data/attribute is stored on server about client's state). Every time a requests comes in from a client it is served as a new request, it doesn't understand if the same request made was 1 min or 5 mins before. There is no correlation between 2 successive requests on the server. From a server point of view it doesn't care who is requesting for webpages. All it does it returns the webpage that has been requested. This is what is meant by being stateless.

Their are 4 main methods

1) Using cookies
Session tracking through HTTP cookies is the most used session tracking mechanism and is required to be supported by all servlet containers. The container sends a cookie to the client. The client will then return the cookie on each subsequent request to the server, unambiguously associating the request with a session.

A cookie are of two types temporary and permanent.

Temporary Lasts for the life of the browser instance. Temporary cookies are good for holding user name and password for use in authenticating access to secure systems. By default, the servlet API creates temporary cookies.

Permanent Lasts until they expire or are deleted. Permanent cookies are good for holding information such as user name and last-accessed date. To create permanent cookies, you can use the cookie object's setMaxAge method.

To create a cookie:

Create data to be saved in the cookie
Date today = new Date();
String todayString = today.toString();

Create a new Cookie object
Cookie lastVisitCookie = new Cookie("lastVisit", todayString);

Set a time-out for the cookie, in seconds
lastVisitCookie.setMaxAge(60*60*24*365);
This doesnt destroy cookie for a year

Send the cookie back to the browser by associating the Cookie object with the
servlet response object
resp.addCookie(lastVisit);

2) Using Session object

Get Session object form HttpServletRequest object
HttpSession session = request.getSession(true);

Get a Value from the session
session.getValue(session.getId());

Add value to a session object
Employee emp = new Employee();
session.putValue(session.getId(), emp);

At the end of the session, we can inactivate/close the session
session.invalidate();

3) Using hidden fields
You can use a hidden field submitted by the FORM HTML tag to pass the session ID from the client to the server.

To use hidden form fields, you create a session and then use that session's ID as the value of the session field in a FORM element.

4) By URL rewriting
URL rewriting is the least preferred method of session tracking. When a client will not accept a cookie, URL rewriting may be used by the server as the basis for session tracking. URL rewriting involves adding data, a session ID, to the URL path that is interpreted by the container to associate the request with a session. Del.icio.us Digg! My StumbleUpon Page