The ways to follow sessions:
Use cookies
URL rewriting
This way supports browsers that disable cookies.
SSL (Secure Sockets Layer) session
In Java programs, the javax.servlet.http.HttpSession interface is used to create sessions.
How to get a session object
HttpServletRequest#getSession
Returns the current session.
If there is no current session, it creates a new one.
HttpServletRequest#getSession(boolean create)
Returns the current session.
If there is no current session and create is true, it creates a new one.
If create is false, a new session cannot be created.
Session attributes
HttpSession#setAttribute(String name, Object value)
Binds an object to this session.
HttpSession#getAttribute(String name)
Gets the object bound in this session.
HttpSession#getAttributeNames() returns an Enumeration type object.
Session time out
HttpSession#setMaxInactiveInterval(int interval)
Specifies the time out value in seconds.
A negative value means no time out.
OR
In the web.xml, specify the time out value in minutes.
<session-config>
<session-timeout>
20
</session-timeout>
</session-config>
A negative value or 0 means no time out.
Destroying session objects
Invoke HttpSession#invalidate
All objects bound in this session will be destroyed.
javax.servlet.http.HttpSessionListener
When a session is created or destroyed, these events are notified to the classes that implement this listener.
HttpSession objects are not thread safe.