Lecture 21: Session Tracking using Cookies

BMC201 - Web Technology

Mr. Prashant Kumar Nag

2026-02-25

Lecture 21

Session Tracking using Cookies

Week 7 | Unit III: Web App Development (Servlets + JSP)
BMC201 - Web Technology
Mr. Prashant Kumar Nag, Assistant Professor

Learning Objectives

---

• Explain stateless HTTP limitations
• Create and read cookies in servlet flow
• Configure cookie lifetime and attributes

Prerequisites

---

• Java basics: classes, methods, objects, and exception handling
• HTTP request-response fundamentals from Unit I/II web context
• Revision of Lecture 20 before moving into Session Tracking using Cookies

Syllabus Mapping

---

• Unit III topic focus: Session Tracking using Cookies
• CO alignment: implementation understanding + architecture reasoning
• Assessment alignment: short definitions + long implementation/design questions

Agenda

---

• 5-minute recap from previous lecture
• Concept deep dive: Session Tracking using Cookies
• Code/configuration walkthrough and output analysis
• Debug checklist and exam-oriented summary

Introduction

---

Cookies provide a practical way to carry lightweight state between stateless HTTP requests.

In real systems, cookies are used for preferences, tracking returning users, and linking to server-side session state. Correct attribute selection (Max-Age, Path, HttpOnly, Secure, SameSite) directly impacts both behavior and security.

Think About It

---

If two users share the same browser, what cookie design prevents incorrect personalization?

Cookie Flow

---

flowchart LR
  U["User Request"] --> S["Servlet"]
  S -->|Set-Cookie header| B["Browser stores cookie"]
  B -->|Next request with Cookie header| S
  S --> R["Personalized response"]

• Server sends cookie in response header (Set-Cookie)
• Browser automatically returns cookie on matching path/domain
• Cookie value helps identify preferences or lightweight user state

Cookie Types and Important Attributes

---

Concept	Meaning	Practical Use
Session Cookie	Removed when browser closes	Temporary user flow state
Persistent Cookie	Survives browser restart via Max-Age/Expires	Remember preferences
HttpOnly	Blocks JavaScript access	Reduces XSS cookie theft risk
Secure	Sends cookie only on HTTPS	Prevents plaintext transport
SameSite	Controls cross-site send behavior	CSRF risk reduction

Design rule: store identifiers in cookies, not sensitive business data.

Session Tracking Comparison Snapshot

---

Approach	Where State Lives	Best Use	Key Limitation
Cookies	Browser	Preferences, lightweight identifiers	Client-side exposure and size limits
URL Rewriting	URL	Cookie-disabled environments	URL leakage/bookmark issues
Hidden Fields	Form pages	Multi-step form state	Works only on form submits
HttpSession	Server	Auth and protected user state	Server memory cost

Lecture 21 focus: cookie attributes and secure cookie usage strategy.

Code Walkthrough

---

Cookie c = new Cookie("theme", "dark");
c.setMaxAge(7 * 24 * 60 * 60);
c.setHttpOnly(true);
c.setPath("/");
response.addCookie(c);

for (Cookie ck : request.getCookies()) {
  if ("theme".equals(ck.getName())) {
    response.getWriter().println(ck.getValue());
  }
}

Memory Booster

---

Syllabus memory points for Session Tracking using Cookies:

• Core recall: Cookie creation/read/expiry
• Exam compare: Persistent cookies vs session cookies
• Practical anchor: Store user preference in cookie and retrieve on next request

Live Demo

---

Live implementation for Session Tracking using Cookies:

Open Demo: Lecture 21 - Session Tracking using Cookies

Demo flow:

• Set username and theme cookies and inspect simulated response headers
• Trigger next request and verify cookie values are read server-side
• Expire cookies and observe fallback behavior on next request

Takeaway: cookie attributes control both persistence and security posture.

Resources & References

---

• Jakarta Servlet Specification
• Oracle Java EE Tutorial (Servlet/JSP)
• Classroom notes + lecture demo file for Lecture 21

Structured Debug Checklist

---

1. verify the primary API usage for Session Tracking using Cookies is correct (imports, method names, config)
2. check request/bean/session flow and object lifecycle assumptions
3. inspect server logs for the first exception (not just the final symptom)
4. reproduce one failing case and one passing case before finalizing fixes

Exam Preparation Questions: Short

---

• Define Session Tracking using Cookies with one practical use case.
• Write/identify the key API or construct: Cookie creation/read/expiry.
• Differentiate: Persistent cookies vs session cookies.
• Mention one common implementation error and correction.

Exam Preparation Questions: Long

---

• Explain Session Tracking using Cookies with architecture/flow and implementation steps.
• Write a structured answer comparing two approaches used in this topic.
• Discuss debugging strategy for this topic with likely failure points.

Practice Task

---

• Implement: Store user preference in cookie and retrieve on next request.
• Add console/log output to validate flow step-by-step.
• Document one bug you encountered and the exact fix.

Checklist

---

Can you:

• explain Session Tracking using Cookies in your own words?
• implement a basic example end-to-end?
• identify and fix one common runtime issue?

Next Lecture

---

• Topic: Lecture 22 - Session Tracking with HttpSession
• Preparation required: revise this lecture summary and code walkthrough

Questions?

Next: Lecture 22