Invalidating the existing session and creating new session in servlets
In other words, servlets have built in session tracking.  Yes, we do feel a little like the third grade teacher who taught you all the steps of long division, only to reveal later how you could use a calculator to do the same thing.
To demonstrate these methods, Example 7-5 shows a servlet that manually invalidates a session if it is more than a day old or has been inactive for more than an hour. Behind the scenes, the session ID is usually saved on the client in a cookie or sent as part of a rewritten URL.Finally, you can remove an object from a session with if the session being accessed is invalid (we'll discuss invalid sessions in an upcoming section).Example 7-4 shows a simple servlet that uses session tracking to count the number of times a client has accessed it, as shown in Figure 7-2.For example, a user's session object provides a convenient location for a servlet to store the user's shopping cart contents or, as you'll see in Chapter 9, "Database Connectivity", the user's database connection.
A servlet uses its request object's This method returns an array that contains the names of all objects bound to this session or an empty (zero length) array if there are no bindings.
Other implementations, such as using SSL (Secure Sockets Layer) sessions, are also possible.