If a user has their cookies disabled, are there any other techniques, in addition to URL rewriting, that enable the maintenance of state information using JSP?

Ryan Breidenbach

The only other reliable way you can track a user's state is to place some sort of state information in the HTML you send to the user. The two clearest ways of implementing this are:

  1. Place a user identifier as a parameter in the HTML you are sending. For example, if the HTML you are sending to the user submits a form, you include something like this:
    <form method="post"....>
    <input type="hidden" name="userID" value="12345">
    If the user's request is a GET instead of a POST (like above), you would need to append this parameter to the URL, like:
    <a href="http://www.somesite.com?userID=12345>
    Click HERE!</a>
    Of course, this ID would map to state information you have on the server side where it can be retrieved. How this isimplemented doesn't matter. It can map to a key in a Hash, a primary key in a database, a EJB PK, whatever. Just as long as this parameter can let the server retreive the user's state.

  2. You could always place all the state information in the HTML as hidden fields. This would be the same as above, but instead of using a key, you would put the actual data. Not a very flexible idea, especially if there is a lot of data regarding user state.
Another note: be sure that if you use a key, you encrypt the key so that the ID you are using cannot be easily guessed to map back to a real key in the server. This will help prevent fraudulant access to user data.

Once you try either of these techniques a bit, you will appreciate the Servlet API's abstraction of tracking user state!