Invalidating a session using session id
The Session Tracking API, as we call the portion of the Servlet API devoted to session tracking, should be supported in any web server that supports servlets.
Many web servers also support session tracking based on URL rewriting, as a fallback for browsers that don't accept cookies. For a servlet to support session tracking via URL rewriting, it has to rewrite every local URL before sending it to the client.
There are several methods involved in managing the session life cycle: This method returns whether the session is new.
A session is considered new if it has been created by the server but the client has not yet acknowledged joining the session.
This method may use different rules than On servers that don't support URL rewriting or have URL rewriting turned off, the resulting URL remains unchanged. Then it continues on to display the current session's ID, whether it is a new session, the session's creation time, and the session's last access time.
Now here's a code snippet that shows a servlet redirecting the user to a URL encoded to contain the session ID: servlet shown in Example 7-7 uses most of the methods discussed thus far in the chapter to snoop information about the current session and other sessions on the server. Next the servlet displays whether the requested session ID (if there is one) came from a cookie or a URL and whether the requested ID is valid.